drivers/firmware/imx/se_ctrl.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-)
Sparse reports warnings where userspace pointers are cast to kernel
pointers, dropping the '__user' address space annotation.
In the ioctl and write paths, the transmit message header was validated
by casting userspace buffers directly to struct se_msg_hdr. Fix this by
validating the header using the kernel copy obtained via memdup_user()
instead.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202605062306.sx2OL0Ul-lkp@intel.com/
Fixes: 4de71839142b ("firmware: drivers: imx: adds miscdev")
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
drivers/firmware/imx/se_ctrl.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 2ba0a6988a39..d2f7780054a3 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -532,19 +532,6 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
return -ENOSPC;
}
- err = se_chk_tx_msg_hdr(priv, (struct se_msg_hdr *)cmd_snd_rcv_rsp_info.tx_buf);
- if (err) {
- se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
- return err;
- }
-
- struct se_api_msg *rx_msg __free(kfree) =
- kzalloc(cmd_snd_rcv_rsp_info.rx_buf_sz, GFP_KERNEL);
- if (!rx_msg) {
- se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
- return -ENOMEM;
- }
-
struct se_api_msg *tx_msg __free(kfree) =
memdup_user(cmd_snd_rcv_rsp_info.tx_buf,
cmd_snd_rcv_rsp_info.tx_buf_sz);
@@ -554,6 +541,12 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
return err;
}
+ err = se_chk_tx_msg_hdr(priv, &tx_msg->header);
+ if (err) {
+ se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
+ return err;
+ }
+
if (tx_msg->header.tag != priv->if_defs->cmd_tag) {
se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
return -EINVAL;
@@ -570,6 +563,13 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
}
set_se_rcv_msg_timeout(priv, SE_RCV_MSG_LONG_TIMEOUT);
+ struct se_api_msg *rx_msg __free(kfree) =
+ kzalloc(cmd_snd_rcv_rsp_info.rx_buf_sz, GFP_KERNEL);
+ if (!rx_msg) {
+ se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
+ return -ENOMEM;
+ }
+
err = ele_msg_send_rcv(dev_ctx, tx_msg, cmd_snd_rcv_rsp_info.tx_buf_sz,
rx_msg, cmd_snd_rcv_rsp_info.rx_buf_sz);
if (err < 0) {
@@ -759,10 +759,6 @@ static ssize_t se_if_fops_write(struct file *fp, const char __user *buf,
if (dev_ctx != priv->cmd_receiver_clbk_hdl.dev_ctx)
return -EINVAL;
- err = se_chk_tx_msg_hdr(priv, (struct se_msg_hdr *)buf);
- if (err)
- return err;
-
if (size < SE_MU_HDR_SZ) {
dev_err(priv->dev, "%s: User buffer too small(%zu < %d).",
dev_ctx->devname, size, SE_MU_HDR_SZ);
@@ -773,6 +769,10 @@ static ssize_t se_if_fops_write(struct file *fp, const char __user *buf,
if (IS_ERR(tx_msg))
return PTR_ERR(tx_msg);
+ err = se_chk_tx_msg_hdr(priv, &tx_msg->header);
+ if (err)
+ return err;
+
print_hex_dump_debug("from user ", DUMP_PREFIX_OFFSET, 4, 4,
tx_msg, size, false);
--
2.43.0From: Frank Li <Frank.Li@nxp.com>
On Thu, 07 May 2026 12:24:03 +0530, Pankaj Gupta wrote:
> Sparse reports warnings where userspace pointers are cast to kernel
> pointers, dropping the '__user' address space annotation.
>
> In the ioctl and write paths, the transmit message header was validated
> by casting userspace buffers directly to struct se_msg_hdr. Fix this by
> validating the header using the kernel copy obtained via memdup_user()
> instead.
>
> [...]
Applied, thanks!
[1/1] firmware: imx: secure-enclave: avoid casting userspace pointers
commit: 29fcae80c944312d1fa5dfb433a57ecaabdaf967
squash to prevous commit
Best regards,
--
Frank Li <Frank.Li@nxp.com>
© 2016 - 2026 Red Hat, Inc.