From nobody Sun May 24 22:34:05 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 488F13603FC for ; Wed, 20 May 2026 20:49:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310196; cv=none; b=PIGmrj0Czru5qbVlWWP+7pRdhJ+YApjHbJnrWhOA9F0V5HqikQKKxrhK9wwAHvMdGoWg/njvo+GZOm0WgKOYFvCmdOTXGNjnBmuwT0CTcm3/X0GMGpPpzqMGhx4PtCuUlM1Iv9PT2ChPr63UmdFD0E+K6wAycUNFvtFCtkjAdyc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310196; c=relaxed/simple; bh=9CAsfM7KLu52yrdWqJdHkcolcfG9V6vCGTohj393onM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=fgzv7XXGNuZ94X7iJxYlu/xqNPAJooR0hW6xOWqetdu7K6DeitA35UwMqamCvKCIbb1rJx5JFQsa3xZG1Eg7sw5d/U+xwKfUCVnNkcApUhSrbN7cw18knkgA7EN6l3XYDzmIpQ+DKXPnGipTdE1pNXGIWDsa+xK+T0iikdnwOzY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=bH0ipUbE; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bH0ipUbE" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-48fed2519daso28301985e9.0 for ; Wed, 20 May 2026 13:49:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779310194; x=1779914994; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=mkaEL0dtEh5vLkhnum12HiGQZEgLNqcEhlclJBj/jfs=; b=bH0ipUbEP1akSdNWWiWgNoc/OGi6DcgFbSNJlEkDz4Kmgr59ZAh+K4ejMQKY+lqTI8 +qFsVTpSMaUeqjaOnOLx+XVcmD5UqaKGL5mF6SB5UuiDzcG0iTUlTso7PnLozCvpkOV1 deu3WCtPev5A3id+TrH35dwe9+Wf95lJPmovXSO35WSGvxpUecbkMJzplj3nI/OdkyCH mqsBxQUVCT3RMz7imJOf/fkWvcQIxAF6RJR+pVaJijvNt2MwMk8y5lf7lvKJq4BtUtHx ZzVkKkVuOBZSozfZHlJLBVBqrt/stbFIqsuSGbwSN7+CE8vOAemH5giqiCwP7d6qPm4G xssg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779310194; x=1779914994; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mkaEL0dtEh5vLkhnum12HiGQZEgLNqcEhlclJBj/jfs=; b=WZT2MqzfpTNlV1xjGJqR/eA62q9WCu1bij/R4lYSbPeZbSuAw9EMsFxGODuCG/6V9e 1m1sqjOB0FtmUie/whdp4yVJgAhQaiOz1TAgB2SrxQ6xCoKg1x3tQ/nlaU/ceQdvfjjU arc8iy9yvPtz4WYgYS2h6zahqhEJJH4Kjp4MXUD/qnHd9VJYWkGSNGyuREbloe2X8Tji UH5K1l9+NCg8vbclZUkoeW748iy3Hi/XfNN95Og+Zycxns6tJr+iQRq9rlw4a54rh6z5 3Y/PjiVUAGwa7/6/Mfa67YreNUm7FFlIqM3OF3cU8x463jWwe/e421af6t/ZG70Re8Rf xeDQ== X-Forwarded-Encrypted: i=1; AFNElJ9QmOQINZw3daIDA9BsukmTLBmazqikWlxygO5vw4yeay2IiFynT5B8WHt0DB2hYJr7oxG59/JepOyhxTI=@vger.kernel.org X-Gm-Message-State: AOJu0YwHrzgbtMraC5uwj3wZbro69Nu98xmX0Z3DbgmKapPAwDWj+SEm FaOIyj/ALPpI6RaHOY5dhbT0Qhm1SUY2VNbFtRRL/XvX3W5nJQTCBePLVRF6uu2iXztzBFf/KRh n3l/dV0DxDt4Tzw== X-Received: from wmoj17.prod.google.com ([2002:a05:600c:4851:b0:488:af7f:772a]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:a00f:b0:48a:5301:bb5c with SMTP id 5b1f17b1804b1-48fe63263dfmr421319785e9.16.1779310193872; Wed, 20 May 2026 13:49:53 -0700 (PDT) Date: Wed, 20 May 2026 20:49:44 +0000 In-Reply-To: <20260520204948.2440882-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260520204948.2440882-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.669.g59709faab0-goog Message-ID: <20260520204948.2440882-2-smostafa@google.com> Subject: [PATCH v4 1/5] optee: ffa: Add NULL check in optee_ffa_lend_protmem From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports a possible null dereference under memory pressure due to the lack of validation of the allocated pointer. Fix that by adding the missing check. Signed-off-by: Mostafa Saleh --- drivers/tee/optee/ffa_abi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index b4372fa268d0..633715b98625 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -698,6 +698,9 @@ static int optee_ffa_lend_protmem(struct optee *optee, = struct tee_shm *protmem, int rc; =20 mem_attr =3D kzalloc_objs(*mem_attr, ma_count); + if (!mem_attr) + return -ENOMEM; + for (n =3D 0; n < ma_count; n++) { mem_attr[n].receiver =3D mem_attrs[n] & U16_MAX; mem_attr[n].attrs =3D mem_attrs[n] >> 16; --=20 2.54.0.669.g59709faab0-goog From nobody Sun May 24 22:34:05 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97F27322C67 for ; Wed, 20 May 2026 20:49:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310198; cv=none; b=mOKK9yvM8AUWkZMrS9dbR+yrl1pGbgcqyb5JRizZyPLJQRwbouLw6LgE4++HIFSWg/fvzwM46uuEzQsfTH7lcNsSdGe0sGqWLAcnqAD8RB9n3YhNq4o7om5KQg7kjuOcDxPP5IK0Zy3EYrcQcd2Zu+HbI2kYn8IROWqqc022D6c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310198; c=relaxed/simple; bh=+odcoytO7t3DOoLwKe5U/Z+LXQDQFnA0EDO6/U8yfWg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Y8KAdgWkEnseBljOJx5pdxqOfKjiBs0SZ4DJ5TJUfLZ0ZuKrAuI4DddjgrUYJ4W7Pgnk2I8fFqmqXYEmrP8JJuqZKPX4b3uNCn+qiEKg5xp61dIAjipgoB4yKxzVcSoibs5wpg/luA86jkubwZNchEL6tb8SLlQoGCZryHgWslg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=RhmosyOo; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="RhmosyOo" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-48fd2b502e2so46231105e9.2 for ; Wed, 20 May 2026 13:49:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779310195; x=1779914995; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Ov2SNTUzKC8oN0Fvl8Z8REa9PXSOlA6pzj2Ni/hPKe8=; b=RhmosyOod/9IyXpshdKPHjwnjsIRHNUOMmit3h07e9CkZI4Nj8TkkaF6VPcBv6UbQI Qkqp++gVz7MRWY9gXnsWcGXzObgc+aC0ZB+Us0v1OAhBZyYxSNuly8Jo4GGhgQRb2NJp vED69QHpjaKRIXwNEihiYQ+gF94AB3mVr0SCJ3PK5lFRbjsCMVr1psl5nNE9dj0QT/xk Zod2ds5Mmp6xn99JuHDov7iYbC450zhqezFbpxnP+GfgCpZRKmyffGgY0KRAGYtB6wsv lXpclCLiifCiWpEJxx1rgMsPsKTDxX5f2bBokiGrLGkOpiJmPv+YXfdc7/H/2BeokCN+ zajg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779310195; x=1779914995; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ov2SNTUzKC8oN0Fvl8Z8REa9PXSOlA6pzj2Ni/hPKe8=; b=bRj26w/eddQ+1SxhvyFVemN82d6ProEpPScafXmAXeJntSVoK4XqcoKmA9e2sRRZXJ 78xQI23EBtaEM8blIeK7A63+6F6nhzYg/YkyOXoaxwKHHgwzXSwKl7DGBhyYx39b1QGY LJE/QmgtVgR2sN1x/7KvvigT2+44epAvkGuaxwnQcsJZgZGPvuMUqaRL62iYXUGdkRAg +ARlXHshAx7I0gzNwhmHmGzZs+g/X6i6UGc/7fyAKH7HKeTAzNJdvy7dwBJSRUVvRYdD tM2A9MXqZ5b8jGgTlawFfWzWANS+DegAKEjqvuPxUUFXHJH/UqZ8jifq8Pk05n/ykCVO Zl8A== X-Forwarded-Encrypted: i=1; AFNElJ+Nqgg1+i5TSM/8bRo2zCQeru4XALX/BTgelugNs2dRpJXmly8IoV1mo75TpDORM74+A0JepX51spNgFd0=@vger.kernel.org X-Gm-Message-State: AOJu0YzJYuXaNlWYssNw2IQlKdDjZR9lHoyRN503NnJPuXOCqYcltv4Q xuW2vxptgiJA9DEAsftEKe5mZL5CarhITuOV3KQVMNB/pPIUxWvfqirMY87EetX1tKQ0ggivoiC LemgG0O2RD77MKw== X-Received: from wmrc10.prod.google.com ([2002:a05:600c:aca:b0:485:3a2f:2f7e]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:8b75:b0:488:7ff6:1f75 with SMTP id 5b1f17b1804b1-48fe6321cdamr430534835e9.21.1779310195138; Wed, 20 May 2026 13:49:55 -0700 (PDT) Date: Wed, 20 May 2026 20:49:45 +0000 In-Reply-To: <20260520204948.2440882-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260520204948.2440882-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.669.g59709faab0-goog Message-ID: <20260520204948.2440882-3-smostafa@google.com> Subject: [PATCH v4 2/5] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports multiple out-of-bound issues in ffa_setup_and_transmit: 1) Writing ep_mem_access->reserved can write out of bounds for FFA versions < 1.2 as ffa_emad_size_get() returns 16 bytes in that case while reserved has an offset of 24. Instead of zeroing fields, memset the struct to zero first based on the FFA version. 2) Make sure there is enough size to write constituents. While at it, convert the only sizeof() in the driver that uses a type instead of variable. Signed-off-by: Mostafa Saleh Reviewed-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index eb2782848283..b700b2e93e72 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -697,11 +697,10 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, for (idx =3D 0; idx < args->nattrs; idx++) { ep_mem_access =3D buffer + ffa_mem_desc_offset(buffer, idx, drv_info->version); + memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; - ep_mem_access->flag =3D 0; - ep_mem_access->reserved =3D 0; ffa_emad_impdef_value_init(drv_info->version, ep_mem_access->impdef_val, args->attrs[idx].impdef_val); @@ -741,7 +740,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents =3D buffer; } =20 - if ((void *)constituents - buffer > max_fragsize) { + if ((void *)constituents + sizeof(*constituents) - buffer > max_fragsize= ) { pr_err("Memory Region Fragment > Tx Buffer size\n"); return -EFAULT; } @@ -750,7 +749,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents->pg_cnt =3D args->sg->length / FFA_PAGE_SIZE; constituents->reserved =3D 0; constituents++; - frag_len +=3D sizeof(struct ffa_mem_region_addr_range); + frag_len +=3D sizeof(*constituents); } while ((args->sg =3D sg_next(args->sg))); =20 return ffa_transmit_fragment(func_id, addr, buf_sz, frag_len, --=20 2.54.0.669.g59709faab0-goog From nobody Sun May 24 22:34:05 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88518375AB2 for ; Wed, 20 May 2026 20:49:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310199; cv=none; b=OmnWwq18CXIEMto32gIooJfW5IaDzwTkOvHsv405WKpiQYFqhrxQynTE9r1KOqfeZQQj3pTykBEdEJjcTGnNCa9QVvJHzHHAtSVoDmbVcgRxslwGGgtwTtGbm2Q63it/LV/+qekzLprRCZgxY2RhDavNaIiTedTGk2x0FO9gJHs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310199; c=relaxed/simple; bh=yEi7Y+sVV03MbE//ByLa4jBWlRzkala7BxfSNn0p1q4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=m/SnZBuwUfnpE6w5xgy/jFXnlj2Ul2ifY4iLZohpe0ObpRk+19hL7NXjkoiFlGmpZkLd7hc0yE1nWFL5vV/mNiB/lfWDUSScDeX+V9BLS7CpNtafOY1kuWm8ygfWcmLLWZ4dkfZ/1kGsDoGroD8XQDGO5gzX1nNKB+UfQsyXDrk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=V9gzz/pl; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="V9gzz/pl" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-48a589c7879so40996455e9.1 for ; Wed, 20 May 2026 13:49:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779310196; x=1779914996; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=h6pS+fRCyL3l4ecLcUFyDog+3129i4iHhu9NlGGm/nY=; b=V9gzz/plp/qVxFrKIFdvomhRXNW/ypyCBRr/GQi1d/yckIYDFTPFSLlnF//PFCR5yr ka9heFvIKmQoadQIvpDlV5x6SE9L+bFihytbIF3nfkcTGu74Z4Smp6YJYeCoxSkTMlez +f0+ubVVlMohvkA78IikduFSAd4OTmq49W6vAlmxgoTmcRgI3NKXU5UqADKa5sPq62ge Ucw7eXaaNnz5MUXxzO/Q7K2KrkUyIpLgaQ0FN2wPpFjC7hbNwyprCyAnuEZJcA9oq/A9 gWG4U0ANhp+GymA3Kj+Al2ysbs/l602PD5R5S5aBWhELHu8eLBvQ//ST5qHfNXFHehdi gCtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779310196; x=1779914996; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=h6pS+fRCyL3l4ecLcUFyDog+3129i4iHhu9NlGGm/nY=; b=ToNSyYYxB6mWtY36VvrfyUQiUIRrg7bQwPd+kXB9Ksr3fSC9ZpnsUf0raSpcG4bUEY lAaSQf8U30iG8vxGBG23hL/iTc1f54u8fy2krnpogq2UGtAi1cSD9FQCQdQ019VpHsK/ PK0DmidxEC/bao2s0dBgplcmg4/DiD/D3dUogjOvdqO0q6kamgZTs6QxJ0eoM0G8hNI/ 0O6MrO661hJWR4voS+rBw7md5pUmpmElrnjWLuM4kwRmA80kIEWXMMY59F0ZRLmrKxoO gCLSmGYzxpe/6vMMOr+miFx0xCtFzbIg0uCoERivSAkQkyUHYeHEdxisOi/UsW97p+Fq HdiQ== X-Forwarded-Encrypted: i=1; AFNElJ8D90ZSiDWm2912owRIqc9y56UTfIaEBjU7jTEYBWTkDXsR+Uu2pe2JTlCSTlcrF8yUwuvDce3O1nN1Lsw=@vger.kernel.org X-Gm-Message-State: AOJu0YwwpwG/n4hLTRQxbF0Ll8oBqwjXcHDTDVW4ecY9IIWZF1x9xYRk xd+LRNGZ6FFHyeCLflLIvGYDjxFWGeduW8SSeqpqKwpCyxMR8jAqBZyZyB8QmZBnNWxVqk/jN2k hR6RARULwrhA17w== X-Received: from wmfo22.prod.google.com ([2002:a05:600c:2e16:b0:489:d74d:f20]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:c08b:b0:48a:79d8:a8d6 with SMTP id 5b1f17b1804b1-49035f37f95mr624375e9.7.1779310196037; Wed, 20 May 2026 13:49:56 -0700 (PDT) Date: Wed, 20 May 2026 20:49:46 +0000 In-Reply-To: <20260520204948.2440882-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260520204948.2440882-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.669.g59709faab0-goog Message-ID: <20260520204948.2440882-4-smostafa@google.com> Subject: [PATCH v4 3/5] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sebastian Ene Use the descriptor's `ep_mem_offset` to calculate the start of the endpoint memory access array and to comply with the FF-A spec instead of defaulting to `sizeof(struct ffa_mem_region)`. This requires moving `ffa_mem_region_additional_setup()` earlier in the set= up flow. Also, add sanity checks to ensure the calculated descriptor offsets do not exceed `max_fragsize`. Signed-off-by: Sebastian Ene Signed-off-by: Mostafa Saleh Reviewed-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 16 +++++++++++----- include/linux/arm_ffa.h | 2 +- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index b700b2e93e72..8573a7a6556e 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -685,19 +685,26 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, struct ffa_composite_mem_region *composite; struct ffa_mem_region_addr_range *constituents; struct ffa_mem_region_attributes *ep_mem_access; - u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g); + u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g), ep_offset; + u32 emad_size =3D ffa_emad_size_get(drv_info->version); =20 mem_region->tag =3D args->tag; mem_region->flags =3D args->flags; mem_region->sender_id =3D drv_info->vm_id; mem_region->attributes =3D ffa_memory_attributes_get(func_id); + + ffa_mem_region_additional_setup(drv_info->version, mem_region); composite_offset =3D ffa_mem_desc_offset(buffer, args->nattrs, drv_info->version); + if (composite_offset + sizeof(*composite) > max_fragsize) + return -ENXIO; =20 for (idx =3D 0; idx < args->nattrs; idx++) { - ep_mem_access =3D buffer + - ffa_mem_desc_offset(buffer, idx, drv_info->version); - memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); + ep_offset =3D ffa_mem_desc_offset(buffer, idx, drv_info->version); + if (ep_offset + emad_size > max_fragsize) + return -ENXIO; + ep_mem_access =3D buffer + ep_offset; + memset(ep_mem_access, 0, emad_size); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; @@ -707,7 +714,6 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, } mem_region->handle =3D 0; mem_region->ep_count =3D args->nattrs; - ffa_mem_region_additional_setup(drv_info->version, mem_region); =20 composite =3D buffer + composite_offset; composite->total_pg_cnt =3D ffa_get_num_pages_sg(args->sg); diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h index 81e603839c4a..62d67dae8b70 100644 --- a/include/linux/arm_ffa.h +++ b/include/linux/arm_ffa.h @@ -445,7 +445,7 @@ ffa_mem_desc_offset(struct ffa_mem_region *buf, int cou= nt, u32 ffa_version) if (!FFA_MEM_REGION_HAS_EP_MEM_OFFSET(ffa_version)) offset +=3D offsetof(struct ffa_mem_region, ep_mem_offset); else - offset +=3D sizeof(struct ffa_mem_region); + offset +=3D buf->ep_mem_offset; =20 return offset; } --=20 2.54.0.669.g59709faab0-goog From nobody Sun May 24 22:34:05 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E716376A10 for ; Wed, 20 May 2026 20:49:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310200; cv=none; b=W4Sfwb+hPCN2AaBlSyKW+Rb8tlHTUlXnCgZUxh8LOMDOSMm8lzgOvCdc3h4VeZ7n889BaJPClHWU3iWqZ01AdJWwzdx3rOPfrAQTB5NGsJVadzvpsScTBWawNSxwU3KEFZfmpZp/G8P30dpmKogUNbcDDAX+WnN72137xK0E94o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310200; c=relaxed/simple; bh=yDqwfpq2LumKo+eR1zTPgnIkRGiNvFK7fJiI/Swmg4c=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=gcnjGYZIV61+45fgDANnCM2f1tmVNVNBPt+e5mVvmSqY//iDNPDjHBSEGKfxw593QWi1bm3aKQdoHMbeqJitfewBiVM/9/sgBi6hNd/QpBgOZZDi/QH1xAYiAx0G6Cy8FbOWcThl8ZUneqJF3fIIP6q8Rj2PXerzvFhSu3vnfQU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=GcBn5/2C; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="GcBn5/2C" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-48feb8b9acfso31704955e9.3 for ; Wed, 20 May 2026 13:49:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779310198; x=1779914998; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=J5sFw8Sj0s1wSBlDG0qQA5R+qSlafViNaiQqa98n5zM=; b=GcBn5/2Cl/NzAj/fx4XXByU6o9FzuH3DJ95lJDEHVAaFeaxEeIV96seZtX1PA+YRc+ dJFEx435nvMuNTg/Cu5H8pqn66KBcJ8Zns/2g/QLx+75L0zgbSNbF1Cdx2+FT0iCgii0 VhOtQNsG736ItgF383Tsj18EzcQNK1OkKQf8b9oNys5yS2cGkQ3XzS5KZcv7macLPMvX QmpxSBNFdakdRS3s2H4NGxU81iaMDp+lbtbysp9l2koBQAKXCqiADR9Bo3xkB6apzewC rZf2Lcti6P3wBMTnb7T/B5yqbcsSMNkh/k01YXKJkQLSJmVeegyPGDaaTrJiF8ReiSnO EZjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779310198; x=1779914998; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=J5sFw8Sj0s1wSBlDG0qQA5R+qSlafViNaiQqa98n5zM=; b=Vu5cdqEAlS4F6nrAnh/4vrmJEdB17MOv6sq7SCARfpcO3HwdLtH9+xg7R81XQMDQm9 IPr9p94dWAohcE3++SL8avT8bJ4hz7VJwxFIRY/WC2eu0ZayT8Wrs93hA3Pgwgpovh/s 1Pyh4eufUEkd9Zme/VDenbeYg+IneHjzqiCmzOENkvG7JXq5G5wAYLB/slrP53ynzNn8 Afx5RRn6Hu7K+XjDADr0CwBGz0VYe9rR5v2bzrjcqByvgp1uPM9EIv70LuNtqvtf5o/Y Ev87/r7yWVvG91Ehuiwo85xE9gX8zWN6CzvoAQJPMRLr30YZ8PVkZty+ugH+z5zoXYn5 S/Bg== X-Forwarded-Encrypted: i=1; AFNElJ8eSya5cXN1RAHGg/NaMMzX8ma9YAKqni3M/5/4/kqq062olOdU90lZN/ejOMdrwlhOgAgnnGg6WM4MwFc=@vger.kernel.org X-Gm-Message-State: AOJu0Yywd9eYCCLZN3+ERd42EbEwlEGAhVWu2IAvGgMRHnzTkcgqMuOi 9QxXasgNv0+fdGFFhB5U72Mg+qmCPFx86Sr5SL6KgCCCLWBzivS91t6xQnzccYByFR4rMjS4B7W J71DCN6e7kBOYnA== X-Received: from wmlf11.prod.google.com ([2002:a7b:c8cb:0:b0:488:c011:ff58]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:8189:b0:48e:89f9:9408 with SMTP id 5b1f17b1804b1-48fe632374fmr370978765e9.20.1779310197436; Wed, 20 May 2026 13:49:57 -0700 (PDT) Date: Wed, 20 May 2026 20:49:47 +0000 In-Reply-To: <20260520204948.2440882-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260520204948.2440882-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.669.g59709faab0-goog Message-ID: <20260520204948.2440882-5-smostafa@google.com> Subject: [PATCH v4 4/5] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports out of bound write possiblity if SPMD returns an invalid data. While SPMD is considered trusted, pKVM does some basic checks, for offset to be less than or equal len. However, that is incorrect as even if the offset is smaller than len pKVM can still access out of bound memory in the next ffa_host_unshare_ranges(). Split this check into 2: 1- Check that the fixed portion of the descriptor fits. 2- After getting reg, check the variable array size addr_range_cnt fits. Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1af722771178..e6aa2bfa63b1 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -607,7 +607,7 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, * check that we end up with something that doesn't look _completely_ * bogus. */ - if (WARN_ON(offset > len || + if (WARN_ON(offset + CONSTITUENTS_OFFSET(0) > len || fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) { ret =3D FFA_RET_ABORTED; ffa_rx_release(res); @@ -641,6 +641,11 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, goto out_unlock; =20 reg =3D (void *)buf + offset; + if (WARN_ON(offset + CONSTITUENTS_OFFSET(reg->addr_range_cnt) > len)) { + ret =3D FFA_RET_ABORTED; + goto out_unlock; + } + /* If the SPMD was happy, then we should be too. */ WARN_ON(ffa_host_unshare_ranges(reg->constituents, reg->addr_range_cnt)); --=20 2.54.0.669.g59709faab0-goog From nobody Sun May 24 22:34:05 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB26D374E73 for ; Wed, 20 May 2026 20:49:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310203; cv=none; b=l9k6djxdpvZSysJntRjeoh9JPB/rHmZGxEFZKC/4g9F6ok5nOkcbe08c+2RapcRmmCd+yz9Xt6fO8X2qyVICuOogfCpbvaW5GdmzHWJmiOxF05+gUpnxsC+ldPZgqlR3Z13xEIaVSNIiDmoVGZz355mw7KG0JHHHwJ1I6s7pY64= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779310203; c=relaxed/simple; bh=tuPvZGzF0btmcEj/P7IKTetF6rM2heeP6hTxQ5GodVw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=IACpOkOzSiofJCp/JGjlqYQebc6MO/YEd1fd/upB5Uy8JlocJNor96nZ35e6OWt/PCaEgoEOYYK9/naRBOjDnIa5tZiAicEOuG/ee835PmEau/x4Fio4u61etBKwLbt5/e845OIQeVLCOFOwG8TqbDdqnY95rcvoT6SjV44gbDM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=CmFmlDhm; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="CmFmlDhm" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-48fd64c32e8so35303125e9.3 for ; Wed, 20 May 2026 13:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779310198; x=1779914998; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Bdxg0o2btss9qMTZzYA98i+uvFmpv+cRF90VMWdHIeA=; b=CmFmlDhm34UNzKt/XDzbrvhdhPyzERzrevA3K2q+3k48HDg+jC202ZRtzjpgqm69Y8 9nPofgd8U+0GabcbSbydAJMKVnOR/kCDiTg8JWnibAltXGAKzhoX2SdrA3LYF+OWPIa3 qcb/klaKBsVyXi4eWGrpxtbchQ7BGqsUqHB0Wbu/B5WvMVAFUHxQL/tHLcQtsSIGaR6L ZyNT4ogUs9sloPhgrvgWR1idQItciYptwHJ4S8vWl9GpYXBTgoG2E3qD3hTXkCYhGTgj +nqUqFv5hz51DZKR9m2k/ngdNsz6JYOBnlpWctzYzsCkZ/67eizy3rXUtyN+HPjfKN4k 2fuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779310198; x=1779914998; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Bdxg0o2btss9qMTZzYA98i+uvFmpv+cRF90VMWdHIeA=; b=boLGBASmMdT+wTHW0hgawifR/SvTe4LgCciqyTazOMvWu46v9AFN8FrEwrVmU5BgvS Gel3QpJwuY/d6uXGG8JmZJwRyhW2t3PV6OR+wYyJSDN//kSsjyRGNA2YIc70vZl3x3Zv QjGCob/uutc33nlFnmdBxkL7CvP2/7nCchx9Z2B92i6yeYb+Hd+acIqu4sKFdv4eTT/A KNdmVXJ+RrYRlDdwOj21qqG8HkFq0fUoV9IdXK7ne9HKSkLjd7OIODLrmdfaT4pUNHIh Mv+3qRLwCw4yMrmb07ld+QiqEW2Nlhz/19bkeL96vKst3J5WT+78KXZx+C1LeWu5ryYw +x1A== X-Forwarded-Encrypted: i=1; AFNElJ8cImv+GSt8ZReKlra2gFa/9SKwFjO37FAxdBPpGBiZNDgEvSDCuicsWbleEO6LiJCLXs4aHeDaLBX6NcI=@vger.kernel.org X-Gm-Message-State: AOJu0Yy91aeiWad0SHGQSSmKGWpDKuk3osp6pjQBt5r/pRHzlQT0DS7i a7WOsjlgvH/Bh/8fzNUMhmZxRn5SK+YNgxudhlDM9dSbiXa+/D0ljp7oocpycc9wWA09oke3g1t DGeZiMs2DqINGyA== X-Received: from wmxb16-n1.prod.google.com ([2002:a05:600d:8450:10b0:48f:e53a:e4bf]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:4e53:b0:490:1640:8269 with SMTP id 5b1f17b1804b1-490164089c7mr213656225e9.18.1779310198457; Wed, 20 May 2026 13:49:58 -0700 (PDT) Date: Wed, 20 May 2026 20:49:48 +0000 In-Reply-To: <20260520204948.2440882-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260520204948.2440882-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.669.g59709faab0-goog Message-ID: <20260520204948.2440882-6-smostafa@google.com> Subject: [PATCH v4 5/5] KVM: arm64: Validate the offset to the mem access descriptor From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sebastian Ene Prevent the pKVM hypervisor from making assumptions that the endpoint memory access descriptor (EMAD) comes right after the FF-A memory region header. Prior to FF-A version 1.1 the header of the memory region didn't contain an offset to the endpoint memory access descriptor. The layout of a memory transaction looks like this from 1.1 onward: Type | Field name | Offset [ Header | ffa_mem_region | 0 EMAD 1 | ffa_mem_region_attributes) | ffa_mem_region.ep_mem_offset ] Verify that the offset to the first endpoint memory access descriptor is within the mailbox buffer bounds. [@Mostafa, Add missing call to ffa_rx_release() and use fraglen as the max buffer size as it is the only intialised part] Signed-off-by: Sebastian Ene Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index e6aa2bfa63b1..38f35887e846 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges, checked_offset; + u32 offset, nr_ranges, checked_offset, em_mem_access_off; int ret =3D 0; =20 if (addr_mbz || npages_mbz || fraglen > len || @@ -508,8 +508,13 @@ static void __do_ffa_mem_xfer(const u64 func_id, buf =3D hyp_buffers.tx; memcpy(buf, host_buffers.tx, fraglen); =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if (em_mem_access_off + sizeof(struct ffa_mem_region_attributes) > fragle= n) { + ret =3D FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; if (!offset || buf->ep_count !=3D 1 || buf->sender_id !=3D HOST_FFA_ID) { ret =3D FFA_RET_INVALID_PARAMETERS; @@ -576,7 +581,7 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, DECLARE_REG(u32, flags, ctxt, 3); struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; - u32 offset, len, fraglen, fragoff; + u32 offset, len, fraglen, fragoff, em_mem_access_off; struct ffa_mem_region *buf; int ret =3D 0; u64 handle; @@ -599,8 +604,14 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, len =3D res->a1; fraglen =3D res->a2; =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if (em_mem_access_off + sizeof(struct ffa_mem_region_attributes) > fragle= n) { + ret =3D FFA_RET_INVALID_PARAMETERS; + ffa_rx_release(res); + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; /* * We can trust the SPMD to get this right, but let's at least --=20 2.54.0.669.g59709faab0-goog