From nobody Mon Jun 8 17:46:25 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED676426EA2 for ; Wed, 27 May 2026 15:02:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894164; cv=none; b=k7Sk733dOFJwewQ5j8ndZBYrlnbjoAVgbb9WBwbeC1MIHtOXZk29bZgUJwZ/lhA3/rE3WjIIZKArz0kiZSlh/UZ3O6a1LLhcCHN6NHERrV2uPn2xmtEJBloEmtd5Hpz+RFkPne+NPy2mPwwgZRgbk9WspDT0DauPTlub2ZpssvY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894164; c=relaxed/simple; bh=SVvDiffb/nQ6NalN7qs94CnE2E+NZ1sLlPWERmt385M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=htkPq/3plrFW6FbjW6tx9eux4VQakO7UmExKsLDPsqzVQP1+/qZqLWAkP1BGDB+my30TYpAxKY/BZlIgmCRExmEcY0LtKgDr9KEa/4/nEnipzqxwaMQtP75Z4lE+hfhi3Vx9QSnoqB4bp4sNOUjA24Ld5TenVaV+8b0YUTQVJ2Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=k8LdY8d/; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="k8LdY8d/" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-49048bcbeb8so61907425e9.2 for ; Wed, 27 May 2026 08:02:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894161; x=1780498961; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=q7J1ztb6Z4HCTvPSQ3KlFjIJDDk9HF6V81J85Mqd8VE=; b=k8LdY8d/9aw3tB9DcQc+QDMLLi5t15lscxdRN6MlUnBdSFUtW+Io58ridAgjYBY/R2 RrUpuvB5jCZOjjfg6JoetGq3hn62h3DJZl3hYYXzRWSL/+uns02xvHx1X9IF8792BHCZ W9+z26yPiPe50UzLA5ae4U6rX2mYxeJTscld5jxWe68cYJ9OTEZjYpvbjP3e5NFY1wQd s/23/biZO6njtNS6gHBebl0GmLXs3QHvINPEe3dxPrvhe134stDUjA228o9IjRaPLKGf XGtz9n+YYp2ktuC/7GbZHiDN1uPuu+QMkbCIi7/+VwJO7hRUuZAS5jVIepMNr56xVxCH E0aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894161; x=1780498961; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=q7J1ztb6Z4HCTvPSQ3KlFjIJDDk9HF6V81J85Mqd8VE=; b=m+SB2NW8iGE5N5mgvwau0n7YNf/Sn1XC8+3P3HWO+ZRuzvd5aEftE1V6mJhbpG/kkv x5ueKQetHMryqA3J53g7C8BQl3EGCHys5Loq9zQD7K4MLta2qyVX/8XsWom8DW/XCLuf EnSFk51mdruj6y4LF7PdvRG43EOS7VrzlK8vaRBHbe0GMy/59b1GHCEpolDwpM6NIVxn tM5+TSVMYtIpicSzfLvM/BZsu0vwHq+ARRVDH49E4cpmqCcjDOXHuoKNETXzUcX9ixj8 kDrTbX2if0bEaKBOsbacdwwlH6MbqTvnBNWxkRIyj4DpsGtQBzcm8Bkn3l6+750Dw2ze ObAg== X-Forwarded-Encrypted: i=1; AFNElJ9gdyP/bz+V51CdXc4E3zpDMXWyMrsV07uBxzECw5TFCZQy2936Y7imbZf4v5L9bQZ1e0NUHkUe9Q4efbM=@vger.kernel.org X-Gm-Message-State: AOJu0YzvV7Ofx2eD20WXhSb2AhYvvu9QLm+j1AZ6dUcX15FYkIzI3Bxo kBe9pPhsBGaW9OHCPAW3PJcjc8go65V3nRrLincD4x642dHE0BG1KfrXzL2aLQO/0X+jHHC5vz/ XMqWO5uzgv9tQtA== X-Received: from wrrj16.prod.google.com ([2002:adf:ff90:0:b0:43d:2d2:c03b]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:530c:b0:490:5527:3be2 with SMTP id 5b1f17b1804b1-49055273be6mr302305885e9.32.1779894161027; Wed, 27 May 2026 08:02:41 -0700 (PDT) Date: Wed, 27 May 2026 15:02:31 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-2-smostafa@google.com> Subject: [PATCH v6 1/6] optee: ffa: Add NULL check in optee_ffa_lend_protmem From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports a possible null dereference under memory pressure due to the lack of validation of the allocated pointer. Fix that by adding the missing check. Fixes: 2b78d79cdf96 ("optee: FF-A: dynamic protected memory allocation") Signed-off-by: Mostafa Saleh Reviewed-by: Sumit Garg --- drivers/tee/optee/ffa_abi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index b4372fa268d0..633715b98625 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -698,6 +698,9 @@ static int optee_ffa_lend_protmem(struct optee *optee, = struct tee_shm *protmem, int rc; =20 mem_attr =3D kzalloc_objs(*mem_attr, ma_count); + if (!mem_attr) + return -ENOMEM; + for (n =3D 0; n < ma_count; n++) { mem_attr[n].receiver =3D mem_attrs[n] & U16_MAX; mem_attr[n].attrs =3D mem_attrs[n] >> 16; --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 17:46:25 2026 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2131F428465 for ; Wed, 27 May 2026 15:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894167; cv=none; b=tCcrVQSo2oNOjVYae9VcWFS03Ty3aGhuUNquDv7Q2pxL6VqC1AciqIXGMTccE5yjEK/kCnoaElTa7befKeuzkbsUPEe8c4dflraDD6IjOPrNL3hfuCNj+1tKxG/tfYVNTMfHMf4cRNRk71cBW1MNnbUVQ2dK/rBMEpsIlHZSb1M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894167; c=relaxed/simple; bh=nVHQfEBe5Y36t7KgHNwVV7teEKw/67gXK02IHth2zZI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=UwdKKmXpAJfsFFAl5u5X8mqvBC9/10FkB09QTgzHNb8fcPkvJOTAu2K4paROC1iVsdAH9ERzbRaMt+LTFhbAZ8RKSYtpGleHwSR0ai5QH/pC2DwDoQyxGhsXkiVu660aObL//mksLa8nTunYGj/qPZy96OYw8a2F58WHuxekzoI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dNF1cTGL; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dNF1cTGL" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-44a52d5e572so8157816f8f.3 for ; Wed, 27 May 2026 08:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894162; x=1780498962; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=4uj7BV8+9rgP0MrIxwz4V0ep9E/T0g3B6x2bWAPAPVY=; b=dNF1cTGLhXSNGX8VG3NDZat0nrKZ4dsto5b78B5LN1iuy3NUJCyv22yCYHMNEM9Mg5 a6eJgRyNU6qnScDA2MsKUV5mkGgPDttoYQ57tC4nwi51cg/FCkl5irxgERbsJNzYnZZt 0RPVkKB4XoUP52TG9wkl5Zj8T8c4R+zxHPa8JlmhpYo+VqSuIqwoS2XSu+ZvBx8FPcaK XcxptZPEVzeMFjx78LDBpXrbFhAum6PFIzDmCCD2pCVC45oc2Eg/bppZypiwDmX4oO8K h3ZDWEJYahWPACrYSDPSr73G2z9h3JlqYiz9uEpGjrsOv9VCx1Q0JzMOFQoZTnJKQctE f97g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894162; x=1780498962; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4uj7BV8+9rgP0MrIxwz4V0ep9E/T0g3B6x2bWAPAPVY=; b=FJ2DJzjldVmVNMlC666OyTiOj4Wi8kG3maL490fdz00ne9pjkJp6r67xSHNp7XhCF+ hsDn4DPpdFZFRQkHhDz6crddASvERITeq021aANKRYSXZ5E7q3K/IpDRJdy2pbf4VoMn KDpnUh/MH0VLa1OZT9tkqkVB3LQYbp08lavOkXc6CZCPUyCOuOIP+KMoKcNAnRMcF2P2 8wGMqPghsjgKNHRrTD26DDpuZDYSpOQQn0de7374apwAxfe4sKfnNgRQ0seNfKrpJqE6 5C+kmCeQzNnVPBPn5yi34BcVcS7VOu7h7jxTbRbzqw7MwxE7rQumBUHU6K8YTBBDOatj EhZA== X-Forwarded-Encrypted: i=1; AFNElJ+DKWR+PI189z68pRU0XRN76rURC9q2vNof/6DhqAyhAGtD/ZkHM/70WH0vqdcO80QlY9jcGE4KwR3zvRg=@vger.kernel.org X-Gm-Message-State: AOJu0Yyjt5UjE2VOi8zfzaccNcmc72V0xZUENhAhVT6VIZhSelVNkdyw ffJQWsdzZlbDVXTQD/Ms8oYnmtbJQW8shFvODzc0brGFbfHVhAAEp6OPab1H32m1PRH1G2Ks4kP HjedwhG6FTO/Axg== X-Received: from wmmu10.prod.google.com ([2002:a05:600c:ca:b0:490:5e18:ff1c]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600d:8499:20b0:48a:5970:1fe1 with SMTP id 5b1f17b1804b1-4904248ad4cmr298003375e9.4.1779894162134; Wed, 27 May 2026 08:02:42 -0700 (PDT) Date: Wed, 27 May 2026 15:02:32 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-3-smostafa@google.com> Subject: [PATCH v6 2/6] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports multiple out-of-bound issues in ffa_setup_and_transmit: 1) Writing ep_mem_access->reserved can write out of bounds for FFA versions < 1.2 as ffa_emad_size_get() returns 16 bytes in that case while reserved has an offset of 24. Instead of zeroing fields, memset the struct to zero first based on the FFA version. 2) Make sure there is enough size to write constituents. While at it, convert the only sizeof() in the driver that uses a type instead of variable. Reviewed-by: Sudeep Holla Fixes: 111a833dc5cb ("firmware: arm_ffa: Set reserved/MBZ fields to zero in= the memory descriptors") Signed-off-by: Mostafa Saleh --- drivers/firmware/arm_ffa/driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index b9f17fda7243..059e2aae7ca0 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -715,11 +715,10 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, for (idx =3D 0; idx < args->nattrs; idx++) { ep_mem_access =3D buffer + ffa_mem_desc_offset(buffer, idx, drv_info->version); + memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; - ep_mem_access->flag =3D 0; - ep_mem_access->reserved =3D 0; ffa_emad_impdef_value_init(drv_info->version, ep_mem_access->impdef_val, args->attrs[idx].impdef_val); @@ -759,7 +758,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents =3D buffer; } =20 - if ((void *)constituents - buffer > max_fragsize) { + if ((void *)constituents + sizeof(*constituents) - buffer > max_fragsize= ) { pr_err("Memory Region Fragment > Tx Buffer size\n"); return -EFAULT; } @@ -768,7 +767,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents->pg_cnt =3D args->sg->length / FFA_PAGE_SIZE; constituents->reserved =3D 0; constituents++; - frag_len +=3D sizeof(struct ffa_mem_region_addr_range); + frag_len +=3D sizeof(*constituents); } while ((args->sg =3D sg_next(args->sg))); =20 return ffa_transmit_fragment(func_id, addr, buf_sz, frag_len, --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 17:46:25 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BDB0A426685 for ; Wed, 27 May 2026 15:02:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894168; cv=none; b=XpKB7lVzdiGhfeuKevvkX+zaf1PE4vBj4exmZb87FT+roPOhUgEBjQM8GUTVwMWdEt4YTyICJb0e7lTbqZkkyX8tm/ZI0M9aT/NLWvWPO9zDlQtNNx+AtO0B4OtvyD2jy+uyvWIddT8ooacSEBS1Yd4npy+OyEroRe0uUQFAUck= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894168; c=relaxed/simple; bh=frvPG4wGt4lYWaI0hU8auAfAfo8N17uXOLvBwGNEh+o=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Rl6MMckT7idpv4rbyNDNG1ouqHmI2iUvvKb+7i5tLgESwK//wxzoP8zvzAw5FyFho44kWF0Qx+3cWwjCdAfs6Shy5JrDoVAdyN2txA8bnApCS/xxW0PjC/owR1eAl5jY7Uwdv+ACCnk+yDChaamJUxp8GweqgQkpgYcSxQ/pWd0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=tTG6eqaP; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tTG6eqaP" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-48fd396daedso65385915e9.0 for ; Wed, 27 May 2026 08:02:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894164; x=1780498964; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=u8YigvBWVl26/ICnVgR3tTUB4GzAA0/sj9E2gFe9QwE=; b=tTG6eqaPGJFQCPBZ3X8xQj6EzqSexbc9qFFaPRYOSoaMBsOU9nULZ9VBmb3Y8lvGII FdbB1+O5Ma4XnFRE2kbAXAqFPnYe5h+bM9P6Nl2vH6qbhWdCPumdaHhnmzCtYsJ0CwaK RKaid6feAsg8IsQO7DmfY4NkeTmkJPK8kXHqPqsWzv0o3NwWxTJPAztHSdXfBvctFcwL VWrGKD67mTR5WSeTbbKxASWQcQfacZTR9lMNTSAumNWP9B/y0g8yx/J86U4ca0wfUH4j 4wMJl/qnR+2zdnk3cnJIUGBiU+WNlyUelFqzgMtJyej/gSqB4lyQpF03h3LERw9BPZqf Gzkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894164; x=1780498964; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=u8YigvBWVl26/ICnVgR3tTUB4GzAA0/sj9E2gFe9QwE=; b=GHMbRKWQHdfro6bix+m44HIU073UkkXEnpRZJ2o7jevapUTTROx3UVERlBB5MLZPMi a1pVXsqj4ra7GS8BuawIXgY859VpQxpsakAGbVD/cu8hkf8MEQbDbUN4pj84rg//ItY8 uj6HTnIyTiKR1DWEkRAiDRADVKxkWQOGsTa/grNZwo1FmQikgNhbtovl1huX8p8xbkdw w4SGXYHpkKbQFCZ2Z3M9WL/8dcsZ7qY+CqaqLoQigPZeqIstrBMDNlt2n6a3e7Q76DUK mBMA0Z6eQm/rfGbVjUAhIfcQUJmK/aHwf2YwJ1BLvyLeijgM0xkvS5LXS5GPbpFlLxfg yyKw== X-Forwarded-Encrypted: i=1; AFNElJ8DUUaZ2oWdxsRNLrsUf1gQlPDJ+frcFR2dTU4U/tzmyePxXLCjpEWRThiPEB55J7PkmRqgoy9Mty4s3vU=@vger.kernel.org X-Gm-Message-State: AOJu0YwsQ1VfsDFInL7Qd47NTPj0LOHXIaY0W4RXbF6AtwyU9HHuLFVl mfLC0DZ4trUpaFD0mTBupL0DI/eOPVccd0Fdxar4NDmNtWvXDI7D5aSvhoJlX4XX0OBKiLbxPsC a2C8KDbsarLmfGw== X-Received: from wrnc9.prod.google.com ([2002:adf:e749:0:b0:43c:fa78:503f]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3e0c:b0:488:ac01:72de with SMTP id 5b1f17b1804b1-49042489c30mr450538145e9.5.1779894163610; Wed, 27 May 2026 08:02:43 -0700 (PDT) Date: Wed, 27 May 2026 15:02:33 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-4-smostafa@google.com> Subject: [PATCH v6 3/6] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sebastian Ene Use the descriptor's `ep_mem_offset` to calculate the start of the endpoint memory access array and to comply with the FF-A spec instead of defaulting to `sizeof(struct ffa_mem_region)`. This requires moving `ffa_mem_region_additional_setup()` earlier in the set= up flow. Also, add sanity checks to ensure the calculated descriptor offsets do not exceed `max_fragsize`. [@Mostafa Harden error checking] Fixes: 113580530ee7 ("firmware: arm_ffa: Update memory descriptor to suppor= t v1.1 format") Signed-off-by: Sebastian Ene Reviewed-by: Sudeep Holla Signed-off-by: Mostafa Saleh --- drivers/firmware/arm_ffa/driver.c | 16 +++++++++++----- include/linux/arm_ffa.h | 2 +- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 059e2aae7ca0..bed4bd48963f 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -703,19 +703,26 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, struct ffa_composite_mem_region *composite; struct ffa_mem_region_addr_range *constituents; struct ffa_mem_region_attributes *ep_mem_access; - u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g); + u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g), ep_offset; + u32 emad_size =3D ffa_emad_size_get(drv_info->version); =20 mem_region->tag =3D args->tag; mem_region->flags =3D args->flags; mem_region->sender_id =3D drv_info->vm_id; mem_region->attributes =3D ffa_memory_attributes_get(func_id); + + ffa_mem_region_additional_setup(drv_info->version, mem_region); composite_offset =3D ffa_mem_desc_offset(buffer, args->nattrs, drv_info->version); + if (composite_offset + sizeof(*composite) > max_fragsize) + return -ENXIO; =20 for (idx =3D 0; idx < args->nattrs; idx++) { - ep_mem_access =3D buffer + - ffa_mem_desc_offset(buffer, idx, drv_info->version); - memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); + ep_offset =3D ffa_mem_desc_offset(buffer, idx, drv_info->version); + if (ep_offset + emad_size > max_fragsize) + return -ENXIO; + ep_mem_access =3D buffer + ep_offset; + memset(ep_mem_access, 0, emad_size); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; @@ -725,7 +732,6 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, } mem_region->handle =3D 0; mem_region->ep_count =3D args->nattrs; - ffa_mem_region_additional_setup(drv_info->version, mem_region); =20 composite =3D buffer + composite_offset; composite->total_pg_cnt =3D ffa_get_num_pages_sg(args->sg); diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h index 81e603839c4a..62d67dae8b70 100644 --- a/include/linux/arm_ffa.h +++ b/include/linux/arm_ffa.h @@ -445,7 +445,7 @@ ffa_mem_desc_offset(struct ffa_mem_region *buf, int cou= nt, u32 ffa_version) if (!FFA_MEM_REGION_HAS_EP_MEM_OFFSET(ffa_version)) offset +=3D offsetof(struct ffa_mem_region, ep_mem_offset); else - offset +=3D sizeof(struct ffa_mem_region); + offset +=3D buf->ep_mem_offset; =20 return offset; } --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 17:46:25 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 816F4428474 for ; Wed, 27 May 2026 15:02:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894172; cv=none; b=XCGJ3Kf4IrjNhTWtfx+BQ9LkKhk1vlj506X37DtiIu5XtMfL2tTTzwGWMpfFU/4LLo7G1nTJ4THTmnEXXHFFh1Z2R/Kkl+psrz4WlTOIDAAf9al/mKrfX/4YaTCPMYztM/Ea2JHsOnrDrMa18Mr33SnNiOt4xuWlchv2WgWJmPQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894172; c=relaxed/simple; bh=15nq+W4QtQnuAmCVcxh2XcM8fl+7JmCCyFIX1NGjd4w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=P/gAocH6Svg/CpQ6ZTGDk4038GNUm/+nmBwN4OAyCTeEMCsnhdqaCqGv/4GkNBfE7Z3s0E94FGTgFG0uLsRjktlUBl+7dWs/KComco66NxYgxjPO8oMX8TUEXek+nLy+7v5eOq/9A5bcjiZfXwRu0rxIrKnmq6pRA5N0K+lD6yQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=tu2D/SUJ; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tu2D/SUJ" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-490402ae2c1so56637865e9.0 for ; Wed, 27 May 2026 08:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894165; x=1780498965; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ZKy2nPJ+cV4SO6crenI0U9khbA/AjfYfGtFJYOFvACc=; b=tu2D/SUJThoE4NPX7VbX0QRiCfF1oFkZBjwdyZxRTpnd1zjn4Zm5We4e3kY4wsKNMj 1/VQ75eUsvgkfLWj7fpVZnRc6cZZmiUE4kzkAg0QF26yCkeRxkuHE60xbjiMeHo81FKg QPNat4R41uqwEnTRaLdb/ONUdDEdRMDdFJPG9XCHEWJmlJ7Jn/cLChazG+KG3x4QSzCE hTvQsGUoVWNAPnI5hh/DR0zqBtjNkdALgmUrzI3oyEyqjNeGRF6ujE0lCUsdchwFLmkx cUDt6G/flKzX/8IziqUQU+BbklNdD8Z2pUvC1DtUBpEI46VidI12bGnGmsWez2FKdwj+ QDRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894165; x=1780498965; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZKy2nPJ+cV4SO6crenI0U9khbA/AjfYfGtFJYOFvACc=; b=PldEMUh+poZSQC/2o3gVFR2L7qkY+p05UO3zph/WewQGx2lhccCk/BJFh8F95xMUfm AwVWO/x5+yeoWlUAVMOGtfIwfjr43DTs8BFozcmoJ4Ef6i1iyTR6N0Wg7bR2sI1e5nl1 GWKFDGTIfYM1On8RtPRm5FvKXp4ioQP2wuk7oXUNy+32NY7r9jDmERWm3LMCyK8GSqeq kNBnLY4GAGDVsD5wpsf3O/dGQDoe60sVsz0LNrNCKVaUnaPAXaHPZJjf5xeHY0+Yjc4Q JTr790splXrFJnqmjJ4M0FRjAaOUAacAjkTHXv4wc4lAuFrWfrkXGQuuWkRKCsszUSkN Xrsw== X-Forwarded-Encrypted: i=1; AFNElJ8awT6uRwmPe+Z+QwK36HcYQttUhdDeyObFkLh+hG6Fn0jUehB5LqYZkDpyiPPRyBzLw1qVH+hv//AliZc=@vger.kernel.org X-Gm-Message-State: AOJu0Yx/Hhrri2xe/xIF21DI0ktYGdl3trTtswUEsi6cMTIo89yDdK+7 rgaJKyPB3zsko02dZIbYIE0fCy2lRVhoxF66LSH3zfvP+vIAh3BRGDtj0vRmhxeAHEuohPGXQLi qri8i6d3HkavCmA== X-Received: from wmon5.prod.google.com ([2002:a05:600c:4645:b0:489:1b1b:132]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:2a8b:b0:489:1abb:5559 with SMTP id 5b1f17b1804b1-4904226d9camr214273595e9.5.1779894165174; Wed, 27 May 2026 08:02:45 -0700 (PDT) Date: Wed, 27 May 2026 15:02:34 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-5-smostafa@google.com> Subject: [PATCH v6 4/6] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sashiko (locally) reports out of bound write possiblity if SPMD returns an invalid data. While SPMD is considered trusted, pKVM does some basic checks, for offset to be less than or equal len. However, that is incorrect as even if the offset is smaller than len pKVM can still access out of bound memory in the next ffa_host_unshare_ranges(). Split this check into 2: 1- Check that the fixed portion of the descriptor fits. 2- After getting reg, check the variable array size addr_range_cnt fits. Also, drop the WARN_ONs as that will panic the kernel and in the next checks there are no WARNs, so that makes it consistent. Fixes: 0a9f15fd5674 ("KVM: arm64: pkvm: Add support for fragmented FF-A des= criptors") Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1af722771178..b6cf9ad82e12 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -607,8 +607,8 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, * check that we end up with something that doesn't look _completely_ * bogus. */ - if (WARN_ON(offset > len || - fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) { + if (offset + CONSTITUENTS_OFFSET(0) > len || + fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) { ret =3D FFA_RET_ABORTED; ffa_rx_release(res); goto out_unlock; @@ -641,6 +641,11 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, goto out_unlock; =20 reg =3D (void *)buf + offset; + if (offset + CONSTITUENTS_OFFSET(reg->addr_range_cnt) > len) { + ret =3D FFA_RET_ABORTED; + goto out_unlock; + } + /* If the SPMD was happy, then we should be too. */ WARN_ON(ffa_host_unshare_ranges(reg->constituents, reg->addr_range_cnt)); --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 17:46:25 2026 Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95726391E7F for ; Wed, 27 May 2026 15:02:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894172; cv=none; b=cYFGNaPlJs+o2TU8d9eksi6vpYhDgY2j1T0IZFZzPRS7LuE6JnZUv/b8sobKE+EEyDaTZrZicXZMDEZJfss3Sc8JABMAH0vKxdkIrn3nwpMjgWw+/5nuME0FNeBOmA1h+jNDZ5XaEsB2Zm+rUgBMgKGELdejhmHYQDG7OTyAWSI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894172; c=relaxed/simple; bh=t39kgrMOHIHzsvf+eHb06eEnxgvz7gZgtivjOJ2TDw0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=PTPNLbaAmxqOPQ96F04M3HFKgcOpYtpat6y1JNdq10RJXDI3PSLMt841xs1/U+txjcHPBVa4EhhUkXORCSYEK/50Uib+RqYSEV4b70H/8WYS5xssHvHbTcz6G0Y3jEmzTzFvPL7FbFebiU/qrlzCnBQ4TYlaEWweS3TyTeD68VQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=N8MR//lE; arc=none smtp.client-ip=209.85.221.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="N8MR//lE" Received: by mail-wr1-f74.google.com with SMTP id ffacd0b85a97d-44bf1ac8893so8615802f8f.0 for ; Wed, 27 May 2026 08:02:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894167; x=1780498967; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=BckYBENK6hhz+ff2bUCfdnEivIY8LabEaYEeFq/XAWw=; b=N8MR//lEU8bCpvLRDxrOH5h41AzuN7xvStazVb9mygQX9PfcxA5GS66CfgftO3Y1Kn WpoON+amaT5mun3X9ZlObHODUYU0nUULd7w3ZugriL599GwUgAaj+uF5r39N/5uze/1G JJ78q+MzjqxKWbZOmoWqLmufCppUMKg1vfO7P19467JWtcFAOqoaNNoP2q0rfPi0g6rL P1VIlgw3sZ1Ig9nXndXrh8l7UnmK5Dor9rWuSDIQ1ndpk6icxUSMvLAwOu0Q0F/C6LrW 7QJMIoXfjElYZceXY6+CJh9kNhKU/eW9cFMTnPLwgWagI3GphLojEWzN6JEprUJLPcQM 8XEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894167; x=1780498967; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BckYBENK6hhz+ff2bUCfdnEivIY8LabEaYEeFq/XAWw=; b=c4yi0cmyGDPfbkMjRIoOROFupp4lC39Cam+uoJ0IPr1MJ87nqHKuwaHfrVlHjaWAn7 wxhJ4sUArVCU1iWrR3H9QVjVxxlumxznO/y43dshs9YfUcTjAedgGBn62LgpVQDzBLdv PaxD+PqLJtKqz14S9aeTtzRIa5s1yMmqDPv+GNskzVR96AUt6Gw+3H2KzIu6rrnS1PXd bsknN5sLiEgG7URfF7t7xybiMFFH2oiBcxErJXbsBVJvXAHdcOo2SXqYvSxwQAI2XN+I 0Z6IxYS+aP0xCwbEqD/Ms1eAQkcMxOCtSzYIegAQeYqHSxSi0c2GJkX0KicHYfsRTQ6G e0Eg== X-Forwarded-Encrypted: i=1; AFNElJ/6uRN1apPauvrLKw1c/wqyS3gyYwGfLP3jncmH/oyzd2GzqyWQgLVxYZnafDGGt2ioFVBHA5oIYxgMLdw=@vger.kernel.org X-Gm-Message-State: AOJu0YxIsSzFqzV23orzcHXZDrWlHu4WdonrZ8oDMqHp7WWHZDCeK+E3 PZSF4QmV/VS603WyXl6sOqKZ3fwRhRKX+Ajer5+WdAvK4HH8Ap2SZzpyaRIxj89uSrk1ZkTKDF8 GA2poiRCE7CSqGA== X-Received: from wrjb1.prod.google.com ([2002:adf:e301:0:b0:44c:f833:f80e]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:adf:e011:0:20b0:43f:e9ee:5610 with SMTP id ffacd0b85a97d-45eb38b0408mr28581235f8f.43.1779894166481; Wed, 27 May 2026 08:02:46 -0700 (PDT) Date: Wed, 27 May 2026 15:02:35 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-6-smostafa@google.com> Subject: [PATCH v6 5/6] KVM: arm64: Validate the offset to the mem access descriptor From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sebastian Ene Prevent the pKVM hypervisor from making assumptions that the endpoint memory access descriptor (EMAD) comes right after the FF-A memory region header. Prior to FF-A version 1.1 the header of the memory region didn't contain an offset to the endpoint memory access descriptor. The layout of a memory transaction looks like this from 1.1 onward: Type | Field name | Offset [ Header | ffa_mem_region | 0 EMAD 1 | ffa_mem_region_attributes) | ffa_mem_region.ep_mem_offset ] Verify that the offset to the first endpoint memory access descriptor is within the mailbox buffer bounds. Also, fix one hardcoded sizeof(struct ffa_mem_region_attributes) that should be replaced ffa_emad_size_get() for compatibility with FFA v1.0. [@Mostafa, Add missing call to ffa_rx_release() and use fraglen as the max buffer size as it is the only intialised part] Fixes: 42fb33dde42b ("KVM: arm64: Use FF-A 1.1 with pKVM") Signed-off-by: Sebastian Ene Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index b6cf9ad82e12..a12e01883314 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -476,10 +476,10 @@ static void __do_ffa_mem_xfer(const u64 func_id, DECLARE_REG(u32, fraglen, ctxt, 2); DECLARE_REG(u64, addr_mbz, ctxt, 3); DECLARE_REG(u32, npages_mbz, ctxt, 4); + u32 offset, nr_ranges, checked_offset, em_mem_access_off; struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges, checked_offset; int ret =3D 0; =20 if (addr_mbz || npages_mbz || fraglen > len || @@ -489,7 +489,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, } =20 if (fraglen < sizeof(struct ffa_mem_region) + - sizeof(struct ffa_mem_region_attributes)) { + ffa_emad_size_get(hyp_ffa_version)) { ret =3D FFA_RET_INVALID_PARAMETERS; goto out; } @@ -508,8 +508,13 @@ static void __do_ffa_mem_xfer(const u64 func_id, buf =3D hyp_buffers.tx; memcpy(buf, host_buffers.tx, fraglen); =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if ((u64)em_mem_access_off + ffa_emad_size_get(hyp_ffa_version) > fraglen= ) { + ret =3D FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; if (!offset || buf->ep_count !=3D 1 || buf->sender_id !=3D HOST_FFA_ID) { ret =3D FFA_RET_INVALID_PARAMETERS; @@ -574,9 +579,9 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, DECLARE_REG(u32, handle_lo, ctxt, 1); DECLARE_REG(u32, handle_hi, ctxt, 2); DECLARE_REG(u32, flags, ctxt, 3); + u32 offset, len, fraglen, fragoff, em_mem_access_off; struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; - u32 offset, len, fraglen, fragoff; struct ffa_mem_region *buf; int ret =3D 0; u64 handle; @@ -599,8 +604,14 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, len =3D res->a1; fraglen =3D res->a2; =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if ((u64)em_mem_access_off + ffa_emad_size_get(hyp_ffa_version) > fraglen= ) { + ret =3D FFA_RET_INVALID_PARAMETERS; + ffa_rx_release(res); + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; /* * We can trust the SPMD to get this right, but let's at least --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 17:46:25 2026 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4030429824 for ; Wed, 27 May 2026 15:02:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894175; cv=none; b=Hs+gSg1LydSNPgT0RS64qlYUkVq7A6WshcaViIotYq9k7RlYbvkdmbWhiq8ZuOtv93ym6rcG3E8zc+3s75LRZ4SeeDwIvOC5NAfl9ju92J1ffGa9NcdGGNqDaS8x7QAUHdh/ozzQmUJL31U/Ipp4k9UXnQT6m2A424BzLvoeE/A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894175; c=relaxed/simple; bh=SP4Kec8y+oWOlOQeZ//P8sSlKwGT5+/gmSM055b4H6I=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qby6UznYkJy8v8kcfKObZAD0B8JTEMTt0mR+vch9ZKRl3YDMW/9VvnYf6I9pjf67LfnQHTC4hPvasllQhTiO/RRkO/jQ6LthT807HH+1IQPY0PC/GAyRhg2zbrxbJZKrjINfQnP90kZRWME4kZKmjFvGAO+MCiiPJ5X0yUGE+4w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Di3jG8/N; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Di3jG8/N" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-67bca868649so9465005a12.3 for ; Wed, 27 May 2026 08:02:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894168; x=1780498968; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Kwo4Qh0di/1vFA0Eu7i+PSEhw4tHDX1V0gCvzn+6kjI=; b=Di3jG8/NXK+ggJM/kkicEDu7cGHfE2Lsbc5uMDPmfAMJBgkD9cL2/TW2Est/1e6uVG aagXHe9b+vI5jJmVtLXkSc4FNTQU7hMdbDLIXb8ACKvaYLTy/oCme+JbAmwjGJI63p/0 fbl87wlG0G+/D7e/9T8/mDviFRO90qhRjAFkZHxb/YiCj0ItxfMDmk8xypZrzNvQ3L3v F1GLfITwnernUqMzoIMu1DNPZ2OPOmcZO3sBolX1MWU/y8oc7qa7hQhwtRC9tv9IrnG3 ptaB8JO59kR0kQnTNM6qrC8pIaQmkHcNjZCyO95ibpwwGkMz0H8PK/qIevWb9uoLB4jn 5jtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894168; x=1780498968; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Kwo4Qh0di/1vFA0Eu7i+PSEhw4tHDX1V0gCvzn+6kjI=; b=P/Vc+nz57sN+ZlxUXEBctdLb5QBabErjenJvjnaL4SsqIywtgNWGV1sqxfm2oVeNHs cGTmlzc9JBRZUp3Bl1tyvOyMZ4brK7zGcmsWzOQ7fR5ws1Po6cWV1WQy9F0c+mod3Mwr HN1f/1D9tI6JGUcia2TD1Ti/BGR5b09YPCsp1jBCFS9+lyw5kUASH9Uo7RUv8Lu1qjBy o8QeJCLaYeKdpVhTRGi5rSGWgPeVhVK9nYHjE5HlreqfvvjSxGADIiNQFjBmef0b8pTV 8MlpV/RPeZNGlfPuL65ZLN0OUu17Hr+XNqDNEkHQgVFlqY2z+1QhMED85Ijlp42yFhsW 2E3g== X-Forwarded-Encrypted: i=1; AFNElJ8Ted96dt/jTDkRNbutdW/7XeCSjYsapTVthEsG1KYFZ4FOu1S2XM5EiKtn27laiv60KWljneFGb1a02fg=@vger.kernel.org X-Gm-Message-State: AOJu0YwJNegEeNl6cbsO6knoTpBwb05EN6BSuDZbBAl8qRl93PL6G0V1 selZCy9j6jOKTjlBM8/B31egmCv/ZfPyou5MR8bHJHgByrkXF+cBf7xelpMGR9g9cPdAaDCAnMn odh7T5o29CgBafQ== X-Received: from edyd3.prod.google.com ([2002:a05:6402:783:b0:688:c574:279d]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:a51b:20b0:689:6c2e:6cce with SMTP id 4fb4d7f45d1cf-6896c2e6e11mr5575010a12.2.1779894167979; Wed, 27 May 2026 08:02:47 -0700 (PDT) Date: Wed, 27 May 2026 15:02:36 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-7-smostafa@google.com> Subject: [PATCH v6 6/6] KVM: arm64: Ensure FFA ranges are page aligned From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" At the moment we only check that the size of the range is page aligned, and truncate the address to the page boundary. This make an assumption that TZ will do the same. However, it might decide to use the extra offset of the neighbour page at the end, which is valid under FFA if NS is using larger page size. Harden this check by also checking that the base address is aligned and reject it otherwise. Fixes: 436090001776 ("KVM: arm64: Handle FFA_MEM_SHARE calls from the host") Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index a12e01883314..daf0e328c847 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -352,7 +352,7 @@ static u32 __ffa_host_share_ranges(struct ffa_mem_regio= n_addr_range *ranges, u64 sz =3D (u64)range->pg_cnt * FFA_PAGE_SIZE; u64 pfn =3D hyp_phys_to_pfn(range->address); =20 - if (!PAGE_ALIGNED(sz)) + if (!PAGE_ALIGNED(sz | range->address)) break; =20 if (__pkvm_host_share_ffa(pfn, sz / PAGE_SIZE)) @@ -372,7 +372,7 @@ static u32 __ffa_host_unshare_ranges(struct ffa_mem_reg= ion_addr_range *ranges, u64 sz =3D (u64)range->pg_cnt * FFA_PAGE_SIZE; u64 pfn =3D hyp_phys_to_pfn(range->address); =20 - if (!PAGE_ALIGNED(sz)) + if (!PAGE_ALIGNED(sz | range->address)) break; =20 if (__pkvm_host_unshare_ffa(pfn, sz / PAGE_SIZE)) --=20 2.54.0.746.g67dd491aae-goog