From nobody Mon Jun 8 20:41:24 2026 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD6801C5D5E for ; Tue, 26 May 2026 15:19:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808790; cv=none; b=F/4bDmPuBcj2BaO9wuK+JBkx9nrB8vl6kzZeqLsSMclsQ6Y/6/2hcZdlLpRjB5JssraE3cTF4i2OEZeF0pWVKOQkMPZawq3o/rfkQHtiU7lAqsOXGskvRCsru6fd9ei2nAAoYy1Xg5tE7yBLjFMsEnZesyjlin7up94uCeq6ICQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808790; c=relaxed/simple; bh=pt0ml956E7763pNtpKBWBD6NZdNOiJbp6LvAL3RA/Qg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lhoajF7iID8yvi8twEcwOttP4ZTZvEdXjnleXvbUC6X4ZcRHJScxWpDg5mnaaadFPr/9Q3ZMboVEoCXuCxXhnGxUSgCFl/i5CYTY70KoJZgrlGbYJhGSGSebHwLN0D+2gm7LaeWnPCzMV9SwP0P8vm860SRlkjkbQAyPzA0Fn/k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=RIGhhD25; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="RIGhhD25" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-bcbb3e56f10so190486366b.2 for ; Tue, 26 May 2026 08:19:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779808786; x=1780413586; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=JYSPuJSk3QuKc7sf14ipiOObeqdt7tBHKRBi5y5X6HQ=; b=RIGhhD25kEtZwXkIAVoyCsZj1css+KWC8ylPRyrb7arJYR9Ijd+AXCH3HnbLCcdBSm NT6cBMw45gZSe0DCS0GCZKDqLHoL35bTDf8/r2j1cuzuBZWQ9WHo//g282SmioKH0mfp fyubVnieya2++LfM+ik5v10MsqUm8qwAPelxUYYjOmShrkd5vGgPIR6PThvCcZJD6+bu RIotUci4BJ/+tkeh9QwdK5/Hw6C/LktOEkpsrjz4wytZr37ubnfgY7NgLDgGUO1VVyFF Rd3EErsP/MvKUm8fRAGo7bjwh7NfsSPFFrqEOFSxtsg2JeIfGw0oNcOc5Y+M4IYbI0s0 OW6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779808786; x=1780413586; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JYSPuJSk3QuKc7sf14ipiOObeqdt7tBHKRBi5y5X6HQ=; b=omFlNskIsw+7NEfiBJv0gPg+oiRhvCK1vmcsUkGKyGah2WX2DVsYZd9RrLHEMc+sbB zntl1dCCO48MN/mzXE6YEERt3hxmUfPj66sQEn3JbQtWjRk7Ndgrwz9a+9zvuBsvZXHW SOgTxqbUlvGTvzM5Y+TVPzxKZcyF2fNKIWZbzReayCc5azfkkpNp02mVQhYXmsBVlIx/ Ucwp7aznAxUmGtF2CL0qd1pzKiqo2jQZQDW9Rx8/5B2TcLYg5P1L6EfFjnvCBEUtZXBR +iMVZmuv9f938UZbpTHRnxRn9yKtNQhqguw4vnQAaqDrEf3h+dCpX4wzBt9FEmf4un+c dECw== X-Forwarded-Encrypted: i=1; AFNElJ8+ks3ca8Q8aAf7n9OXjiThAad1GXP5qjp32pncyKBUxbsp+eMCDhBb41+Rua8fhz/P6LIWtIJqfEuLSwo=@vger.kernel.org X-Gm-Message-State: AOJu0YzCy7yk1RNKherIiW49XY/Q6USGsCiZ6MfOMreZtz8YsX39ntj9 3dsNlU9HoYKV023mNWLIX0t3cESfoktYk0bB6VUMnvc0s5IKk6pSnkeFdgmwRsVmvbyHmrtegsD NWSYiTcMrOtS1+g== X-Received: from ejki2.prod.google.com ([2002:a17:906:71c2:b0:bb7:b0ba:e7e2]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a17:907:3f1b:b0:bd3:6ec5:f141 with SMTP id a640c23a62f3a-bdd25ce1b65mr1107073466b.30.1779808785644; Tue, 26 May 2026 08:19:45 -0700 (PDT) Date: Tue, 26 May 2026 15:19:29 +0000 In-Reply-To: <20260526151934.3783707-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526151934.3783707-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260526151934.3783707-2-smostafa@google.com> Subject: [PATCH v5 1/6] optee: ffa: Add NULL check in optee_ffa_lend_protmem From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports a possible null dereference under memory pressure due to the lack of validation of the allocated pointer. Fix that by adding the missing check. Signed-off-by: Mostafa Saleh Reviewed-by: Sebastian Ene --- drivers/tee/optee/ffa_abi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index b4372fa268d0..633715b98625 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -698,6 +698,9 @@ static int optee_ffa_lend_protmem(struct optee *optee, = struct tee_shm *protmem, int rc; =20 mem_attr =3D kzalloc_objs(*mem_attr, ma_count); + if (!mem_attr) + return -ENOMEM; + for (n =3D 0; n < ma_count; n++) { mem_attr[n].receiver =3D mem_attrs[n] & U16_MAX; mem_attr[n].attrs =3D mem_attrs[n] >> 16; --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 20:41:24 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 434462F8E9A for ; Tue, 26 May 2026 15:19:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808790; cv=none; b=hKfXlKH2WNbiH0UguPl6mist00usQLAWLUmYshchoyb/1YOoDdxvNS2K9/LcInOfJ+6IHgyxkP6Jv4OQNhwIxza/dPQYNh+H8szsA3706+qteri5R5TgHkN9dpuP4u26fEsX7kpnQ1pmqPAsyVFjUOdEnH2tD89WEm7XKfjcdwQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808790; c=relaxed/simple; bh=EdC0W0VohOtxX3lnJG6sv4pnvdbySAnfsJeVaWHFx0w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=RizYGAYgfzusDn+exDQOCBKREj8NJSMR+ZGf3u2j06tPATd7ySpAzvTXD2+UlDx1q98yzoPUgrWRIz0IICXR8OoaFwRTz8WhczAeLzzsyG/NPd6BiLKV6GPJfyTAyEoFAe+uMbfEBcTZPNZu4PfmHf4DI7RKKCaGkD8zRgPVZpA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TBdeX8i5; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TBdeX8i5" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-49048bcbeb8so48530715e9.2 for ; Tue, 26 May 2026 08:19:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779808788; x=1780413588; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=iM960fEPaAF4GKD2H7L6vb8i4u8uWo0JTw5z3e0opLs=; b=TBdeX8i5vhSuWMCPR/z85++QICGX0lH7GAbC42v/K6waIffcOP1ycHjF8pmFHk0dLE KK5nl1UL9Zonxq4VSVfQrTwY9fzKIzW/fBav13BZbn0TaNoT4/EILDVXCDRFTvxqsw8B SMgzspnBjMejsWQbjHxIGK+tUmWkobKhva0QFsdysORBCMzGBeCZ2abh1ojteZuYncvJ /oiFetqFbcJquVNhb6n6xrL+oZM4oHbZ1XoE3+omL8o0KegjZB54Qm7E0oHB3RDmSXy2 tnmArJKUAtxQxvjF5eSRDbXQd+bfBbbRDa/XvkvyPDJWlgCKBg/0kyo+Zb/8GTi4jRYn Z6sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779808788; x=1780413588; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iM960fEPaAF4GKD2H7L6vb8i4u8uWo0JTw5z3e0opLs=; b=hEYkKJK4ei8qdmuIrjXn59PpFeubWJ+gDtCvv+WTJpvk54irBJBt3dEWrRhq2zpCaE 652MsdC2bliwJ2jbuU4T0i/OVCXy40N50fphCdHmH7NDlQlmbtbYMZS3X8bTfkBdh5W3 6XEFfTZt30zQ9VtwrbYepflfM4TGQnrgFVywOVYIWCtlJ4sPLYWOAk1nKMwJ2b3UVyr7 u0dZNAPT7JVMmAmHmjEwonGc6Tao9suZ8/fY7aai5icD8EYAxnO+B5+XgvuvkXI3l2XR KvM91PtjDCSktlw4TcOcH/pEc0ElnCX/rzwi7TG6IedKwTo0YrQTzSiVrFyOXOk4kSMA /HOA== X-Forwarded-Encrypted: i=1; AFNElJ8C8h6a8/pXcyv5OR++l65fH1awO2sg7ymNFkxHaoXdgFhYE6TuIJmNIX8ozexa0yTWxOlJOed7dHiJ1vU=@vger.kernel.org X-Gm-Message-State: AOJu0YzbEVrjvhQjiG+WPgQtI6dbjWZktmR4VqeNT8kGF6R0DXmw0m32 NGU+XR4tmDZXPe8+OE5CQtDkgwKWmstvAv4r6ZPPdpFIVefTpMS/FlEz4lamia4kcANpFsJY4CH UfyJFywPvSyuX1w== X-Received: from wmni10.prod.google.com ([2002:a05:600c:70a:b0:48a:5334:11e]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:83c8:b0:490:601f:d783 with SMTP id 5b1f17b1804b1-490601fd8f3mr182526495e9.4.1779808787137; Tue, 26 May 2026 08:19:47 -0700 (PDT) Date: Tue, 26 May 2026 15:19:30 +0000 In-Reply-To: <20260526151934.3783707-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526151934.3783707-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260526151934.3783707-3-smostafa@google.com> Subject: [PATCH v5 2/6] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports multiple out-of-bound issues in ffa_setup_and_transmit: 1) Writing ep_mem_access->reserved can write out of bounds for FFA versions < 1.2 as ffa_emad_size_get() returns 16 bytes in that case while reserved has an offset of 24. Instead of zeroing fields, memset the struct to zero first based on the FFA version. 2) Make sure there is enough size to write constituents. While at it, convert the only sizeof() in the driver that uses a type instead of variable. Reviewed-by: Sudeep Holla Signed-off-by: Mostafa Saleh --- drivers/firmware/arm_ffa/driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index b9f17fda7243..059e2aae7ca0 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -715,11 +715,10 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, for (idx =3D 0; idx < args->nattrs; idx++) { ep_mem_access =3D buffer + ffa_mem_desc_offset(buffer, idx, drv_info->version); + memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; - ep_mem_access->flag =3D 0; - ep_mem_access->reserved =3D 0; ffa_emad_impdef_value_init(drv_info->version, ep_mem_access->impdef_val, args->attrs[idx].impdef_val); @@ -759,7 +758,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents =3D buffer; } =20 - if ((void *)constituents - buffer > max_fragsize) { + if ((void *)constituents + sizeof(*constituents) - buffer > max_fragsize= ) { pr_err("Memory Region Fragment > Tx Buffer size\n"); return -EFAULT; } @@ -768,7 +767,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents->pg_cnt =3D args->sg->length / FFA_PAGE_SIZE; constituents->reserved =3D 0; constituents++; - frag_len +=3D sizeof(struct ffa_mem_region_addr_range); + frag_len +=3D sizeof(*constituents); } while ((args->sg =3D sg_next(args->sg))); =20 return ffa_transmit_fragment(func_id, addr, buf_sz, frag_len, --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 20:41:24 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9606630C610 for ; Tue, 26 May 2026 15:19:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808792; cv=none; b=elxw+mLZjy+LoQu2miSY+p2qiA1jAMdk8a3uKL0WKCWFDxlqmpVTYNlfRggOr5PyJmWhGPdSN5WhJ/sUUtHrFU7AMBspVeOkeZ5H2+JFG+JwqXg7fTKX8Wykrjo4SJyZPL/evszr/qjsh2lnmHdp1EQm7CJ2kdF5V/eqpdSLDKE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808792; c=relaxed/simple; bh=Lnu2EVY7kGgMFYCr5nzfpDHkYvIQQ8dedbk4JRz62MQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=uJKzeD7NHllk5+ifRXkp37belMJtaoU7qi3SCtIkXtxOZ69LaMCAEhqa5ke+YTeyua2drcm7unNGD6cFo5BW03+hjGFoFBIOPhNHQCtDFO4TlI4W7+vI+JgM1Jd8fbeuk53Y3f+lH5EetZ8b0d+mzFcSY4Rcgzhf1kLTw7g5iOs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=fjzpQh3b; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="fjzpQh3b" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-49045243094so62019535e9.2 for ; Tue, 26 May 2026 08:19:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779808789; x=1780413589; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=UUC6GCpgb9EEQ0qn5/HP42C7vK2niyP/8gA1+StmENE=; b=fjzpQh3bkhaJx7nMiz2/sIeLo6jh2npa34MazVt9T+tH/p8Nbrhd2C1n3H+OSpLoXq 12o2d4LQZFulw/TPoq1gZbc3K/uJ3LLGfxS06LVqM56cQq+YMxk8mDkj+Qx+UHhPK4gi XzHg/gRusVjLkWVQ46TvOXyNzF4S7mbGZKckS4RexIPgwN988BDP7IvSuFn3dER2uCVt bikr/TiOdS4Jcux5B7FawRDVqzkgwVg3CPug9B6rPR74eEKJGwcPdvE1KnBq3xNUT3CJ FKfspiMuK0ZX2w3rwm1UofPHtn+6wTqZxtF2Wg3b6xRUWTfrMKx3iZjGWwpOaEJIWzbu YfsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779808789; x=1780413589; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=UUC6GCpgb9EEQ0qn5/HP42C7vK2niyP/8gA1+StmENE=; b=Fnng+GfhwYnhBkxJidK6qyQY/71cWTs9S9BnCAzWSPd82mHbWQlgocYTEf6dvwy4AL oBzRmQH2sz3Gv5HNCXWNhgBKqX33aZKfTkXqa35AHu2/lYFIMusdYN9nYlsfVmPZWTxP 6uYe4xJJCW/V9Cq9nhb13S+kqi4yZMPj87I6U/cjyNUF/j/2+CI8ysPwbXIeIS4aFNsx DCJbw+Qn1s/QgcikoF1nastQdis70kce+bN1k7DU3gu4RPFr1+Y4/FuCC0+aOjAjsEyz bq254VmZIcm+xeVhObsAFtGNZOAecHOjlrtBYrPRPaPUR6/sSt0GL6UDuxDF3j39i+3y aELA== X-Forwarded-Encrypted: i=1; AFNElJ+/bVajVyafy63X1wlVpy7ZsyvCEKHUBllY0gZOBdcxq7vO8YU1CMc8mOR4odXzkvM3gCjypoUwzxLDQgg=@vger.kernel.org X-Gm-Message-State: AOJu0Yy/4anBl1c80rRi6zxH3yRlgahk6vAOsGBn7xXre4Qztuds6CrO SZzWzgx/Oz1Jtf9O9YrwxkpcWGetKvHI8B7pgOmrBGKoMAWHFvGmf9hcqdKwOXxEZGyn3AV8BFX J9JjV0MePjN4KcA== X-Received: from wmgb20.prod.google.com ([2002:a05:600c:1514:b0:48f:de5b:469b]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3488:b0:490:6869:7d8b with SMTP id 5b1f17b1804b1-49068697e08mr140072435e9.15.1779808788818; Tue, 26 May 2026 08:19:48 -0700 (PDT) Date: Tue, 26 May 2026 15:19:31 +0000 In-Reply-To: <20260526151934.3783707-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526151934.3783707-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260526151934.3783707-4-smostafa@google.com> Subject: [PATCH v5 3/6] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sebastian Ene Use the descriptor's `ep_mem_offset` to calculate the start of the endpoint memory access array and to comply with the FF-A spec instead of defaulting to `sizeof(struct ffa_mem_region)`. This requires moving `ffa_mem_region_additional_setup()` earlier in the set= up flow. Also, add sanity checks to ensure the calculated descriptor offsets do not exceed `max_fragsize`. [@Mostafa Harden error checking] Signed-off-by: Sebastian Ene Reviewed-by: Sudeep Holla Signed-off-by: Mostafa Saleh --- drivers/firmware/arm_ffa/driver.c | 16 +++++++++++----- include/linux/arm_ffa.h | 2 +- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 059e2aae7ca0..bed4bd48963f 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -703,19 +703,26 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, struct ffa_composite_mem_region *composite; struct ffa_mem_region_addr_range *constituents; struct ffa_mem_region_attributes *ep_mem_access; - u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g); + u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g), ep_offset; + u32 emad_size =3D ffa_emad_size_get(drv_info->version); =20 mem_region->tag =3D args->tag; mem_region->flags =3D args->flags; mem_region->sender_id =3D drv_info->vm_id; mem_region->attributes =3D ffa_memory_attributes_get(func_id); + + ffa_mem_region_additional_setup(drv_info->version, mem_region); composite_offset =3D ffa_mem_desc_offset(buffer, args->nattrs, drv_info->version); + if (composite_offset + sizeof(*composite) > max_fragsize) + return -ENXIO; =20 for (idx =3D 0; idx < args->nattrs; idx++) { - ep_mem_access =3D buffer + - ffa_mem_desc_offset(buffer, idx, drv_info->version); - memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); + ep_offset =3D ffa_mem_desc_offset(buffer, idx, drv_info->version); + if (ep_offset + emad_size > max_fragsize) + return -ENXIO; + ep_mem_access =3D buffer + ep_offset; + memset(ep_mem_access, 0, emad_size); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; @@ -725,7 +732,6 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, } mem_region->handle =3D 0; mem_region->ep_count =3D args->nattrs; - ffa_mem_region_additional_setup(drv_info->version, mem_region); =20 composite =3D buffer + composite_offset; composite->total_pg_cnt =3D ffa_get_num_pages_sg(args->sg); diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h index 81e603839c4a..62d67dae8b70 100644 --- a/include/linux/arm_ffa.h +++ b/include/linux/arm_ffa.h @@ -445,7 +445,7 @@ ffa_mem_desc_offset(struct ffa_mem_region *buf, int cou= nt, u32 ffa_version) if (!FFA_MEM_REGION_HAS_EP_MEM_OFFSET(ffa_version)) offset +=3D offsetof(struct ffa_mem_region, ep_mem_offset); else - offset +=3D sizeof(struct ffa_mem_region); + offset +=3D buf->ep_mem_offset; =20 return offset; } --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 20:41:24 2026 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA8A12F3C0E for ; Tue, 26 May 2026 15:19:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808793; cv=none; b=roCrbnHBjogFz3MDnapvxsPDxuEYI7cmlPXbqcTjiQxs9rzM/S81HVlj6QT1M7sgHY0i/32JVXwPw6wzWvrY8WykIDp0pEhTXzsMp+cRRi1p5WkFwZUdE7AKiPiyomGbEn7+/mlDor3s7nMEGiGiTLMaFBu+PWvVs3PWLh4QB/8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808793; c=relaxed/simple; bh=QF3GgHGmqxOc2ZiHSwTIFp/SPXOTLWdRiKhIV8Khm7E=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=dfOLUryUanrr+no5Ap0tlO8j3BZFu6/YIH5rck6BIMtoArrYjxmvchbDuymQxH31mTzRbXhlmcrZoCRRhX+AiUYk30ogMt57LJr12Hhc1zKa0VNe2fJ9LR2wnNrHUVFR4JuP33mR0b6cVWaXtTZ7rBYsQvrdRgW+j0uVvY8r44g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=FzO5bKw1; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FzO5bKw1" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-bd81e585e5fso968625366b.1 for ; Tue, 26 May 2026 08:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779808790; x=1780413590; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=UeoRdqb2W8o2rKYS6Num15n8gkt/ODkSyZpzjjpRQD8=; b=FzO5bKw1CuiSa77NGiVOBK0Jh6PoPPE+6ZRGAbCUOT2oFLc3xXO/lfWuVCWaSTWglN Lev+JciHzOervVGjzfDaIEbwORZgdMEf/nj9buZljDIxaMf3RxRyheNCTVTgEd6ZZoLf gMSf9INNkAnLhbqBHnLHwxE7kvpvz2Duul90Qg2rZEt3MHJtSZr5cpmYjI0viQQaANYv FHEFBX4k9lbj+xzKoNx666syaFl7o77EigP9zNT3OonNgjGDVurSCkgWQyZAX0meW86y mwRJGAIGqWiB0oTXPJe6n3LsUrFhg3JnV4IWt7PJpbQ18X2o7hT3a1wwPveFC2rm8BYu nnxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779808790; x=1780413590; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=UeoRdqb2W8o2rKYS6Num15n8gkt/ODkSyZpzjjpRQD8=; b=gAwd1XIgWA9+56/2j1fuvPTKbiMAzCMbT26Kgz9gpsvgOUg/IT9WWTBl7smYL3Hg77 6cVo9y5hXwIqXN20s9ZJ26i/aiCatuglH5QldK38/F2QMTbL2mdXfh5qR0IEmQbMH0qH woSTe+f/0+carLOCbULT9RDqTwlWZKUoeCxYq/JtwtufemGlqEnaSydjB8zIeJ9kutP0 FR+ybUhzDkS+I2ar6MSWx0assSex9CuP5Et5KurtC17PXb1AR7F9BbplNAiUufestZ5P MrICjvTPpLS/f4zcRZKly+PwQC3aPXm3xNMumPJ7fvuoOEcZzIHSeTTVTmucKEFxO+i8 ub9Q== X-Forwarded-Encrypted: i=1; AFNElJ/XxqjUaQ/SWKe7EHa06aD+2hjbPfcwL5s/yCQVIB755EwhQR4Xr9lFDHy2ZMS1ScZyKGjnqQyP3AJf9Ok=@vger.kernel.org X-Gm-Message-State: AOJu0YxQ2h0o+dRCY2myupfuy21j7AECyhlzdEr8zXJ7LAKaW/ANy+YY 42V7S7m7mZmi3EeBgw0rTVAy7bCDcduvbtvvM2vBlQDrQ/6rbj7xoQWsOqwbMT77Qzaso9dvZVV Zo2HMW+PA5jrniw== X-Received: from edbcr16.prod.google.com ([2002:a05:6402:2230:b0:687:17de:d8b5]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:5107:b0:67e:96a8:40d0 with SMTP id 4fb4d7f45d1cf-6889cc429a0mr6652238a12.21.1779808790002; Tue, 26 May 2026 08:19:50 -0700 (PDT) Date: Tue, 26 May 2026 15:19:32 +0000 In-Reply-To: <20260526151934.3783707-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526151934.3783707-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260526151934.3783707-5-smostafa@google.com> Subject: [PATCH v5 4/6] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports out of bound write possiblity if SPMD returns an invalid data. While SPMD is considered trusted, pKVM does some basic checks, for offset to be less than or equal len. However, that is incorrect as even if the offset is smaller than len pKVM can still access out of bound memory in the next ffa_host_unshare_ranges(). Split this check into 2: 1- Check that the fixed portion of the descriptor fits. 2- After getting reg, check the variable array size addr_range_cnt fits. Also, drop the WARN_ONs as that will panic the kernel and in the next checks there are no WARNs, so that makes it consistent. Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1af722771178..b6cf9ad82e12 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -607,8 +607,8 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, * check that we end up with something that doesn't look _completely_ * bogus. */ - if (WARN_ON(offset > len || - fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) { + if (offset + CONSTITUENTS_OFFSET(0) > len || + fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) { ret =3D FFA_RET_ABORTED; ffa_rx_release(res); goto out_unlock; @@ -641,6 +641,11 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, goto out_unlock; =20 reg =3D (void *)buf + offset; + if (offset + CONSTITUENTS_OFFSET(reg->addr_range_cnt) > len) { + ret =3D FFA_RET_ABORTED; + goto out_unlock; + } + /* If the SPMD was happy, then we should be too. */ WARN_ON(ffa_host_unshare_ranges(reg->constituents, reg->addr_range_cnt)); --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 20:41:24 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 606EB3128D5 for ; Tue, 26 May 2026 15:19:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808795; cv=none; b=Ep/ovguac24B8FfK5mMe9RLasNpMZVSCnBWmWZaG71JSsRAyaaiCQKdmFiGKVFy6+sRZwBFfx7LQFQeSMyS3FJ6LUH6RjiNJItz65tW+SOSbmD83Xf8OqlNnpZ1gJCwCZnt0QRkZu5YGAy7NNfu0tKTjzHPVEguJ0v5yTqDQSR4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808795; c=relaxed/simple; bh=cWAWGazl9y0NCQE6boUFtmipRD653SY/f3mBGb2AlJ8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=BS7Zrdrc1lyDDX3lswRiHWItineEBCgmPc+tpQtzhx0dZxyKeTrIrfYXcY3JZgyvyk5m4l4uR2WBKP7/+4kQt7CpMkL+z1KYZX1mAUWKQ26A2xM8TOYm2vPjWiaGGevtyY1x7wdWzDULDcv3T06pMy3tVM+3le2TVPOAUllewr8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lj7niNvA; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lj7niNvA" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-490402ae2c1so45516885e9.0 for ; Tue, 26 May 2026 08:19:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779808792; x=1780413592; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=e46ed4u5Cv0I3gq+GXl599KXwFIbkYlwQRCW4+ScRKU=; b=lj7niNvAeR0stzP+93B+HUjVlBM3Z2uFtBhgemg69FTWqomFhQ48rxLfQ+sC7j3gXQ lm0kMsA3CcRuPc1FsxUwbeVyxlX2Lx3MFKV+lGG9x6CV5DWM1XuKfrtkCV+Z+wPavBgF ZdsfIT3xONHGsLeaYfu6LrqCFOxlfTn0lkt1IRTqYrFp90hZRJMmJCChzP5X7+YzHa1G e7jCT8wU97ZeGDilHlO98RmBKdQVUkVN/xeDc68s54An/L7lgzxPZxlOfipdD4muXAM7 P67p7y6t5JSZHPZXk94YzlGTxtajdSlH4c7kYpLcV2VAN5lFDFnJ7rx+3TEkLzusAFOg Ca1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779808792; x=1780413592; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=e46ed4u5Cv0I3gq+GXl599KXwFIbkYlwQRCW4+ScRKU=; b=lNR1JSOx/nhhZTvWnYpWHDg3YmnpUK2qAzsqnIp6OFuSSGFIA+HK+r6VDUtsUIJbku ZXlPbq6ucHi4OHOxT0M8fG95Jn24NKpMEgkrK+exhNmOfxphOqtCHiixMXmT2qA/pScX rHykSDVi8yViHDjKYZnG5fknkk6kbK9S1JIBUpCo48sXrWCaU2ocQqRG3L1aXB4jRG8b CuTz2k/aozaMyLRyIriy/73E76rnYw/KodEnL/jMFzs6XsPywQGjKXdWxDSe97sCdV94 wV4F4mCRODpgydkrzY+PP97NCuci7OfNU+q1njmlxlk5DLojMWWeRdHmJJWDtPSt3JqL 0WVw== X-Forwarded-Encrypted: i=1; AFNElJ8W16H/lYMtt8garPTgMjTAFrW4ITg4ZS7CMxZyzV3q4siQiwgkfGJNUa6n7D8YCWK/gQRCFa41x+tJPm4=@vger.kernel.org X-Gm-Message-State: AOJu0Yw2GWT3tgsUNRoNzi2jce4uNK1hFpNkXyj9Of4gaWe4ZZ8d9w+Z sC/EEPqyupQuPqB7Y+EB1ReVhD+vS70WXd+p0rYoUQEyFzW7cMgaDqqFbZTAMlkxJv4bXfOpuB2 eJmJ8+40GPqlfbA== X-Received: from wrpj7.prod.google.com ([2002:adf:f547:0:b0:45e:75ad:a480]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:5681:b0:486:fcc7:6811 with SMTP id 5b1f17b1804b1-49035f53c64mr252846105e9.10.1779808791592; Tue, 26 May 2026 08:19:51 -0700 (PDT) Date: Tue, 26 May 2026 15:19:33 +0000 In-Reply-To: <20260526151934.3783707-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526151934.3783707-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260526151934.3783707-6-smostafa@google.com> Subject: [PATCH v5 5/6] KVM: arm64: Validate the offset to the mem access descriptor From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sebastian Ene Prevent the pKVM hypervisor from making assumptions that the endpoint memory access descriptor (EMAD) comes right after the FF-A memory region header. Prior to FF-A version 1.1 the header of the memory region didn't contain an offset to the endpoint memory access descriptor. The layout of a memory transaction looks like this from 1.1 onward: Type | Field name | Offset [ Header | ffa_mem_region | 0 EMAD 1 | ffa_mem_region_attributes) | ffa_mem_region.ep_mem_offset ] Verify that the offset to the first endpoint memory access descriptor is within the mailbox buffer bounds. Also, fix one hardcoded sizeof(struct ffa_mem_region_attributes) that should be replaced ffa_emad_size_get() for compatibility with FFA v1.0. [@Mostafa, Add missing call to ffa_rx_release() and use fraglen as the max buffer size as it is the only intialised part] Signed-off-by: Sebastian Ene Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index b6cf9ad82e12..79de358333e4 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges, checked_offset; + u32 offset, nr_ranges, checked_offset, em_mem_access_off; int ret =3D 0; =20 if (addr_mbz || npages_mbz || fraglen > len || @@ -489,7 +489,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, } =20 if (fraglen < sizeof(struct ffa_mem_region) + - sizeof(struct ffa_mem_region_attributes)) { + ffa_emad_size_get(hyp_ffa_version)) { ret =3D FFA_RET_INVALID_PARAMETERS; goto out; } @@ -508,8 +508,13 @@ static void __do_ffa_mem_xfer(const u64 func_id, buf =3D hyp_buffers.tx; memcpy(buf, host_buffers.tx, fraglen); =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if ((u64)em_mem_access_off + ffa_emad_size_get(hyp_ffa_version) > fraglen= ) { + ret =3D FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; if (!offset || buf->ep_count !=3D 1 || buf->sender_id !=3D HOST_FFA_ID) { ret =3D FFA_RET_INVALID_PARAMETERS; @@ -576,7 +581,7 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, DECLARE_REG(u32, flags, ctxt, 3); struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; - u32 offset, len, fraglen, fragoff; + u32 offset, len, fraglen, fragoff, em_mem_access_off; struct ffa_mem_region *buf; int ret =3D 0; u64 handle; @@ -599,8 +604,14 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, len =3D res->a1; fraglen =3D res->a2; =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if ((u64)em_mem_access_off + ffa_emad_size_get(hyp_ffa_version) > fraglen= ) { + ret =3D FFA_RET_INVALID_PARAMETERS; + ffa_rx_release(res); + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; /* * We can trust the SPMD to get this right, but let's at least --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 20:41:24 2026 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1F503164AA for ; Tue, 26 May 2026 15:19:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808796; cv=none; b=A7KpiPCyyo7HfujC2hHpLYmJcX8VeN8BdcSvw9B6ccp7MDlxACy2SkJA5zR0n7ChO8kMjSUlgc/AgjeKBmzePkMOh1df86U96q6CGyTI1m/f81jcIW75LCuLzmfk+3N764PMaoVZDgPWTVTzlXie721oHsFR+85hmhRgSKTizkA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779808796; c=relaxed/simple; bh=g2V0AM6ILggz6CDLnm+0G6e8Ih7ixVmLsP2s6I6BhEI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=VqEdIgH1doLBwC+9/WyRu/BEo91XoBTJ6mJjDHX+n2LEjkVn364Z85kKfanm/SdkQi3C8BZtAbJgZuvXVdJRWxT677kXTdYRr0uBr3qh1takSV66icNqbuf7wxPft7rTjzkIvmGexc7Ag68DFwVt7k5ak52ezorPMlsToqT4VE4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ikwP8aae; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ikwP8aae" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-44f65835b77so7761107f8f.2 for ; Tue, 26 May 2026 08:19:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779808793; x=1780413593; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=85gj1ffDyGndAMiyS2A+jf4wwjz9v1ON8M3WpC1uUQ4=; b=ikwP8aaexgLe2k0J7ojr0+MTinbVwSnwQ0Vral41tJMKV/MS4xGOLJfAiRdQlz6vCh du1Af58GoG1T0K1QbRX8uNjynyoq+v/IYknHh4H/TvgZmaiQo2RMkb1k+poQt3Dg558a J/n9i/LaSfJLHdfVoBjz2E6CIHycumdUtZHK0MLi7HrYIJZOXTdAouVqkkksqNXddS9B ds806FS52Nsijx/TNms7ABugJcQEpExEgoNlJhun21ZY1NRs88zB/B+O3tWI4sg0kkI1 fyHaQJNodHsmNmYPyqMKjtCZOCMi+T3F2EcB80WgHJySjm3fZtc8hEN0cv9pgz/+0gON s/2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779808793; x=1780413593; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=85gj1ffDyGndAMiyS2A+jf4wwjz9v1ON8M3WpC1uUQ4=; b=nKotqflLsXMXzR1j1SWZMEIhfA0bSJDLi90Gg4SESMKexvhSCZbB+KiH+ePjpYBqys P+/P84u2GV4L4YFd77tufLB5hRbnApNXb8Ph6nWijQTvCuJQp1/E5xMrhdq6dFXYDZra 7Ia2Z+3QLPYNwdnSzt5UM+m5DKaRvzuedriUZ0LF17NdN7N0krkyCMrPqIUDSU5tEsd2 /zEi66NWq2SiSvPq93KnBDLqzJmCz90mFoIDyuDnad3Oeqtle6ufdp6xZkW2adkBHmNP iUnuU418WxEuGXlzghWphyQm2XgzcHLdR/z4s30uQ12dXt9Z1LPgA9FwVKxkjWeq/0a7 7yzQ== X-Forwarded-Encrypted: i=1; AFNElJ8YALcgCkVkBtVezFjIVZ6k6aYo3cDKeKVfAfxbngni7HTXS5FGIeMzBr/UytMp3kcQlSFtyQFrwbxqmIk=@vger.kernel.org X-Gm-Message-State: AOJu0YxU7dNnJZ1sgwgVeMBo87ZBGSaWUlLo4LfuKEal/NMOMtyM7S5c rZz+reG7QGQZj1sy79JksbUHDYaL3/vXlaZKkS9ymYtwklyBdVdL8t7jJj9DvpBbbwtCJ6++SDJ aphR3t/YYDSmZRw== X-Received: from wrbdq16.prod.google.com ([2002:a05:6000:cd0:b0:43f:dbbf:52fd]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:2883:b0:43c:f66e:f24 with SMTP id ffacd0b85a97d-45eb38c8b80mr33942919f8f.35.1779808792997; Tue, 26 May 2026 08:19:52 -0700 (PDT) Date: Tue, 26 May 2026 15:19:34 +0000 In-Reply-To: <20260526151934.3783707-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526151934.3783707-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260526151934.3783707-7-smostafa@google.com> Subject: [PATCH v5 6/6] KVM: arm64: Ensure FFA ranges are page aligned From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" At the moment we only check that the size of the range is page aligned, and truncate the address to the page boundary. This make an assumption that TZ will do the same. Harden this check by also checking that the base address is aligned and reject it otherwise. Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 79de358333e4..ea39e3362efe 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -352,7 +352,7 @@ static u32 __ffa_host_share_ranges(struct ffa_mem_regio= n_addr_range *ranges, u64 sz =3D (u64)range->pg_cnt * FFA_PAGE_SIZE; u64 pfn =3D hyp_phys_to_pfn(range->address); =20 - if (!PAGE_ALIGNED(sz)) + if (!PAGE_ALIGNED(sz | range->address)) break; =20 if (__pkvm_host_share_ffa(pfn, sz / PAGE_SIZE)) @@ -372,7 +372,7 @@ static u32 __ffa_host_unshare_ranges(struct ffa_mem_reg= ion_addr_range *ranges, u64 sz =3D (u64)range->pg_cnt * FFA_PAGE_SIZE; u64 pfn =3D hyp_phys_to_pfn(range->address); =20 - if (!PAGE_ALIGNED(sz)) + if (!PAGE_ALIGNED(sz | range->address)) break; =20 if (__pkvm_host_unshare_ffa(pfn, sz / PAGE_SIZE)) --=20 2.54.0.746.g67dd491aae-goog