From nobody Thu Jun 18 10:04:13 2026 Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1AF0226ED3C for ; Wed, 17 Jun 2026 14:51:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707902; cv=none; b=pHR+1QD3JcXF070JWOJ3gvPvsEXEpVmkGMSZKSTU0vEtU1qugoPHU9A18maGNxFxHHqxg1U11zqIPHKf77PRZ2BQjlWhAJjRDtJVPtRsw0seUea/Ox4U7w4bflDUO9wYBNitoIoiddgI0Zm1lzLzTfdwNmjkRIyLuxg1MuNccow= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707902; c=relaxed/simple; bh=fmNOj5noDV8FLWJ+KWreCVyhF0Hc+7vAbj6fINFnd0Q=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=c5Q6GvyL2Yr411sSvwts5Us6ni+q5fjMAgBlua/uodyyfwthRlGT5Bv/vO4EvB/wYfOmdrkNG/ZqL1yaCcqOy68EITPhxmcHIgY69X6bA1FEQAddr4gXt4sKQz4dwoJnBd5Z4TJQy0bSSKBKiyEXFYiIsQnOr6yfXr3g2A4r9Fk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PWIB0xBH; arc=none smtp.client-ip=209.85.221.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PWIB0xBH" Received: by mail-wr1-f74.google.com with SMTP id ffacd0b85a97d-45efa2f7009so4067041f8f.3 for ; Wed, 17 Jun 2026 07:51:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707899; x=1782312699; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=iDAOdwtxrmt1yvz0cAbxnb4xCO26mPsS8gCJRaVl/Ak=; b=PWIB0xBHalmuIwhZRE2aWB0MlzyjxJdB/neK2m0f1fhQk4wrFaUE3nnFWOeS/LVw2k YTGYCSnZ2FdCFB+fdOVagSFeVDNoxjbheY8Blw/jIgQn3Pq2vGp7bNGw6J0mXIwourND U2R9P/Czw8lzIHkeFP4iCf0h2LZ+AHg6H4Y1ldUK7zrQRRXG6EwGL+QIGw5d/DLC5gfR j1Y6r+IUg0u8UqZ9Erv5YYJso0PjfNdY+5V1XEhsNu7QLbqrXnQ1JmyGWGCo7kPEA08p Uz5zpcGrr5DDe9HWGBsR/0NFat8PtZeaSS42MpaYQ7dHQutv7KgWHfp/TzNY8Z9hYdad 8sRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707899; x=1782312699; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iDAOdwtxrmt1yvz0cAbxnb4xCO26mPsS8gCJRaVl/Ak=; b=fgQZmxyXi2TdDKchlCOvE2uD4MiMoSkruU+v2qzr514LKuBG6m6yRByMVeyYIIR2YL KMOAjhkAnN2Edxj9dUETWrWRfS0mFEAMSxe2641M3xpuEjmjmsxoPg9bvKbC4deQe18w x20F+XmpfsH/aqP/jJk1og7O9xXMIPC3odWOcVEnobC2V9X8uBIzAdjER3VezTirr1a1 mz0TtYBBUhD0ye6f5c7JDoVpihLxFAmxN7SZbPtHzZ21o+y2BN84GhVg4sjbMO0HIg28 DF99ATf/LflMN7e7mPqm6BPSwqM4F2DMRdcrTmjytNzBvhy2ew1DwgX41J92PmApLncg Igig== X-Forwarded-Encrypted: i=1; AFNElJ+NeLrHqvNXcFlqYDSkQgdPM0w8n86u6C8pOllaKV++NJLv5TPW90ZGF3TPcpubNsjvWa4l9JNmzKfEd7s=@vger.kernel.org X-Gm-Message-State: AOJu0YycF28Sdx5TbizVSWOa5SdTkl1jEEPulU8cv6Xg3nZxU3DPqvwW BJU/YtPmS3jKwhtBAxxQppPf+eOAXz7GEnf4P9PBmZBkgEhE+QrL9KKLfQhAzM8KWiyl5bnLgrD EYaFO/1VoROKN8VENg5QHTbPqhVoTWQ== X-Received: from wraz22.prod.google.com ([2002:a05:6000:4696:b0:45e:e4d6:bba4]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:adf:f206:0:b0:441:1e1e:a050 with SMTP id ffacd0b85a97d-462374b8285mr5538800f8f.16.1781707898956; Wed, 17 Jun 2026 07:51:38 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:24 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-2-sebastianene@google.com> Subject: [PATCH v7 1/7] optee: ffa: Add NULL check in optee_ffa_lend_protmem From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com, Sumit Garg Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Mostafa Saleh From: Mostafa Saleh Sashiko (locally) reports a possible null dereference under memory pressure due to the lack of validation of the allocated pointer. Fix that by adding the missing check. Fixes: 2b78d79cdf96 ("optee: FF-A: dynamic protected memory allocation") Signed-off-by: Mostafa Saleh Signed-off-by: Sebastian Ene Reviewed-by: Sumit Garg --- drivers/tee/optee/ffa_abi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index b4372fa268d0..633715b98625 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -698,6 +698,9 @@ static int optee_ffa_lend_protmem(struct optee *optee, = struct tee_shm *protmem, int rc; =20 mem_attr =3D kzalloc_objs(*mem_attr, ma_count); + if (!mem_attr) + return -ENOMEM; + for (n =3D 0; n < ma_count; n++) { mem_attr[n].receiver =3D mem_attrs[n] & U16_MAX; mem_attr[n].attrs =3D mem_attrs[n] >> 16; --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Thu Jun 18 10:04:13 2026 Received: from mail-ej1-f74.google.com (mail-ej1-f74.google.com [209.85.218.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20EAB3F0761 for ; Wed, 17 Jun 2026 14:51:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707905; cv=none; b=oyNeIEtrbaOhXZ6dG5QW0Gs/n1d7skl0kyb34wGvnrM+81pD2NkoP6T5AkF3ZQ2Bb00uBHno8wyYhuDMeLYY1syFG41J3yFkVwpPlQtPIZkeIMzAwNWT124v9xR8otvFcuS2aLTPRU2BlVEBOftQP+ze2IT8TcHgMdH7KXYTaLw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707905; c=relaxed/simple; bh=jloxISYPa8ecyFqGXdFDjWOsBC/fPOUeJSLTxLHPu20=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=LiZHX+S3ry5woBJYKWWFug82sZkoRrXmkxZzFPL1RNyOKqOUm0FX6pttEKAaejvDJHfeynNgDvuK20l9HipWXa0iK/i9khlSbAtkdKoOOzJSeBotin0aIGOpHhBcqIvmV0VE2MM19dWIMd2kURb/Fg6L+KK6f/R9t6bw+16pab0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=OSkYAoMb; arc=none smtp.client-ip=209.85.218.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="OSkYAoMb" Received: by mail-ej1-f74.google.com with SMTP id a640c23a62f3a-bf2dfdc0582so595877366b.3 for ; Wed, 17 Jun 2026 07:51:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707902; x=1782312702; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=fif2f/B/gn5RkPcFE+VYhypuB1774zSDWaedB+gVp/0=; b=OSkYAoMbHu/tuNwRtMr2nLCgz5pUH/mRATpTawJDtZZY1qVnHxnmmgL8JC6IBdEjes NeG1LLRC0f96qeeE4MBctHz506KkeFCLlg9Naw10NPrh+3O0BAWwTaI8rvB8XFqPHzhq MDBY8pOgK7SkJ0w+r4/gZO0DAbQgC8PQ9jYq6L4G8UOAfzpULKdjoKmmzbrM6LwyyBm1 LOHENFZVChr9F5dcdl1A8gjg6xKAivrCb30jt82gizLdorO/8JXZcpI4nD5bIPF5ycew 4qks3Woe+neVIuPOKxEgthYm3adTm7zx7zB+IL0u9XeGTuuq/DqcmLsbqA3bQlflMcI1 BfCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707902; x=1782312702; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fif2f/B/gn5RkPcFE+VYhypuB1774zSDWaedB+gVp/0=; b=IQMSMil7FNi0AQWoN0eyQaom6ituzVj57Nvndi+fkXKa5+S1hLZLsspRQ1h2Fmv2zP aYqrUNOV4xSzDE/kVfnmlbJTVdbzJ4Qekdx1QWXXzmS1EasWl+0LowFKxz5tpbbNuICE VuveUizTeziWrJOpD0DdivvzQ+h0ceza1d1SKK4JVGNWvEuuXkR9ecZsnxuUbJbLjU0i jYkH7ONlcEwf0Devgen3+hQ7Zpkzokn4M7whpe60AtjG2Z00v+2Tp26zRn/tbQqPyl9v F3HrtpBhFtZyF3VefNqnUCrp+GxqrFlg5ThymtWp94IYunl0kFNE94twA2h+u+b0Wzkc mN6Q== X-Forwarded-Encrypted: i=1; AFNElJ/s6Fu8mOFEXM/oS6DBHNxJ/30+Zi726PUCqCVns9bHPPRnZqxZm32M8Y5hDD/JmQM2DnErD/zcCs3VwJw=@vger.kernel.org X-Gm-Message-State: AOJu0YxmcR94PnX96knaHkmUYQz0sMi1hJGVs3/YtGtaELMLjshvL7t2 /0w4z3gqncXjle4Efxp1J3mdtihpH4koCiY5w26u7Rhf4zmmHsEMVGwModLZqzUPQZb1gSflT7N PDYmn4and8qxXDzys0InBft0XyM54Aw== X-Received: from ejbw3.prod.google.com ([2002:a17:906:1303:b0:b9d:975a:28a8]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a17:906:209a:b0:bee:ec3b:6a93 with SMTP id a640c23a62f3a-c05d2182e75mr113081366b.2.1781707901976; Wed, 17 Jun 2026 07:51:41 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:25 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-3-sebastianene@google.com> Subject: [PATCH v7 2/7] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Mostafa Saleh From: Mostafa Saleh Sashiko (locally) reports multiple out-of-bound issues in ffa_setup_and_transmit: 1) Writing ep_mem_access->reserved can write out of bounds for FFA versions < 1.2 as ffa_emad_size_get() returns 16 bytes in that case while reserved has an offset of 24. Instead of zeroing fields, memset the struct to zero first based on the FFA version. 2) Make sure there is enough size to write constituents. While at it, convert the only sizeof() in the driver that uses a type instead of variable. Reviewed-by: Sudeep Holla Fixes: 111a833dc5cb ("firmware: arm_ffa: Set reserved/MBZ fields to zero in= the memory descriptors") Signed-off-by: Mostafa Saleh Signed-off-by: Sebastian Ene --- drivers/firmware/arm_ffa/driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index b9f17fda7243..059e2aae7ca0 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -715,11 +715,10 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, for (idx =3D 0; idx < args->nattrs; idx++) { ep_mem_access =3D buffer + ffa_mem_desc_offset(buffer, idx, drv_info->version); + memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; - ep_mem_access->flag =3D 0; - ep_mem_access->reserved =3D 0; ffa_emad_impdef_value_init(drv_info->version, ep_mem_access->impdef_val, args->attrs[idx].impdef_val); @@ -759,7 +758,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents =3D buffer; } =20 - if ((void *)constituents - buffer > max_fragsize) { + if ((void *)constituents + sizeof(*constituents) - buffer > max_fragsize= ) { pr_err("Memory Region Fragment > Tx Buffer size\n"); return -EFAULT; } @@ -768,7 +767,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, constituents->pg_cnt =3D args->sg->length / FFA_PAGE_SIZE; constituents->reserved =3D 0; constituents++; - frag_len +=3D sizeof(struct ffa_mem_region_addr_range); + frag_len +=3D sizeof(*constituents); } while ((args->sg =3D sg_next(args->sg))); =20 return ffa_transmit_fragment(func_id, addr, buf_sz, frag_len, --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Thu Jun 18 10:04:13 2026 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CDC54534B9 for ; Wed, 17 Jun 2026 14:51:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707907; cv=none; b=OG2ImlEWiaaQe/xJC1Br1nbxSHLSX6Ux079v1Rxf133428R8e61vf0gvoBgmfR60eaZLj8Jx1dJz4qNhLEDYQFsg9d+qcary1Nb8SNQq1wE2b6Lp58DjmiWCmfFtLdefWuVgqjTBf27fyG8aneWczZg01irnQpF/paEgtLPVuWQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707907; c=relaxed/simple; bh=aN8Nyn9ckrh0MM/LzHi6OOLo2IpLuaUhgYlQz9xxDvk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=uQsULQ6uXhcHUMaX5BhXoMmU3VlCE/ceINLeMhOv9mLRHKUzeHSRnm9PVtIUVesOtXD/gU0qSAB8mivkewSFPIZCESVP4rMJpOu0T4gUic6toUdg+DpF/42nKvxTY+VeSHP8wcE/T0MVEI32u8P464qAfvS+ix4JRJytofrWVek= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=IVCfDx2S; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IVCfDx2S" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-4621b17733cso600111f8f.0 for ; Wed, 17 Jun 2026 07:51:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707905; x=1782312705; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=iSPN5hE9gskxSS4lEDSt/fOL7Hb/rZVNl7XMRMHJyec=; b=IVCfDx2SsUqhaUvuhmZO3Uq49y4yaliNvb6FnIQihPt08Z+f1H0CtjvwbvcMmQmhYq B37jBNkj+sLNTQuHHXVGTY3tVJWfkW7uS5yHaZArSDVIemsIpt9kPI0tJsFKK9Sw5IFb ylnbVoQjBKEXRlh2DWPj4lHfNF+cARR2iXhbfZnZu687eU0UMSEzFskMGHvxIqsXPE8Z 8/Fao3lmPgVWk45ho95a+WI2YxSjeOW/pmi6hCDGhlxgrnS0ZiSRP8vRKoD+aRgsBgAD otdfPIey5QWCTgShbuZ3QyMdgItC6y2KggObF9P8RzfzHPMpa9KOGBl2I8H6EqaOEd/f +rsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707905; x=1782312705; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iSPN5hE9gskxSS4lEDSt/fOL7Hb/rZVNl7XMRMHJyec=; b=CoUqPcA7EbE6uqJ4Um5MPftgzKInfiRjtz9u8r9cQNq586tWV6Ks1JbgKtGmA+HhVQ TNLIg0s5Zt42Spu99LNMiy7SrmNH/mjxQD8qyEopDgUb5NkHmpDmZvANUAzsqUBWtPzM 5Dav2tGxetxqyycqm1/3A+fqRxsuYvbaRn7+k3N4r8VZ8NugFfn4zOymFSaJuqhfsGFt Vz9h8XIYD25PZRJpPlc6w33O41s/UAefpif9DRuNwbvma1KJVsEzo0iVTN2SFIOwVjee lJkpvPIA9OHQG5LUEGsZoRdpu4w2dKPQUK0CPwnqy02WF9UfdKREPdTi00Kde4XJ+fbd 1xJg== X-Forwarded-Encrypted: i=1; AFNElJ8IfuEQKNL3O165xYK5pg5cDdYDwfasfcbVBAynLEjaqdzkpZvU0ZOaNCNpEeglIJ7U9p4ZcfFVEZf/MW4=@vger.kernel.org X-Gm-Message-State: AOJu0YykU5meZFZzICPYyFgWtiXDSZW9npfsiWPN87yTupeQYPnF8ZH6 bkultbSRoAeSYFk0Qu1JA1q9Px3aRWMVrYWfN/Jq4JQ3VJh7Cu0f08XLX2hpmIvxN4VVfHT47AJ LQ1aZsX2jv4Ad37zDqy6Z0F8puyq7tw== X-Received: from wmbgx24.prod.google.com ([2002:a05:600c:8598:b0:490:b0f1:3417]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1f8f:b0:492:3670:85a7 with SMTP id 5b1f17b1804b1-4923677d803mr26521325e9.35.1781707904134; Wed, 17 Jun 2026 07:51:44 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:26 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-4-sebastianene@google.com> Subject: [PATCH v7 3/7] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the descriptor's `ep_mem_offset` to calculate the start of the endpoint memory access array and to comply with the FF-A spec instead of defaulting to `sizeof(struct ffa_mem_region)`. This requires moving `ffa_mem_region_additional_setup()` earlier in the set= up flow. Also, add sanity checks to ensure the calculated descriptor offsets do not exceed `max_fragsize`. Fixes: 113580530ee7 ("firmware: arm_ffa: Update memory descriptor to suppor= t v1.1 format") Signed-off-by: Sebastian Ene Reviewed-by: Sudeep Holla Signed-off-by: Mostafa Saleh --- drivers/firmware/arm_ffa/driver.c | 20 +++++++++++++++----- include/linux/arm_ffa.h | 2 +- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 059e2aae7ca0..92edf397bcd2 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -703,19 +703,30 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, struct ffa_composite_mem_region *composite; struct ffa_mem_region_addr_range *constituents; struct ffa_mem_region_attributes *ep_mem_access; - u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g); + u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g), ep_offset; + u32 emad_end, emad_size =3D ffa_emad_size_get(drv_info->version); =20 mem_region->tag =3D args->tag; mem_region->flags =3D args->flags; mem_region->sender_id =3D drv_info->vm_id; mem_region->attributes =3D ffa_memory_attributes_get(func_id); + + ffa_mem_region_additional_setup(drv_info->version, mem_region); composite_offset =3D ffa_mem_desc_offset(buffer, args->nattrs, drv_info->version); + if (composite_offset + sizeof(*composite) > max_fragsize) + return -ENXIO; =20 for (idx =3D 0; idx < args->nattrs; idx++) { - ep_mem_access =3D buffer + - ffa_mem_desc_offset(buffer, idx, drv_info->version); - memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); + ep_offset =3D ffa_mem_desc_offset(buffer, idx, drv_info->version); + if (check_add_overflow(ep_offset, emad_size, &emad_end)) + return -ENXIO; + + if (emad_end > max_fragsize) + return -ENXIO; + + ep_mem_access =3D buffer + ep_offset; + memset(ep_mem_access, 0, emad_size); ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; @@ -725,7 +736,6 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, } mem_region->handle =3D 0; mem_region->ep_count =3D args->nattrs; - ffa_mem_region_additional_setup(drv_info->version, mem_region); =20 composite =3D buffer + composite_offset; composite->total_pg_cnt =3D ffa_get_num_pages_sg(args->sg); diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h index 81e603839c4a..62d67dae8b70 100644 --- a/include/linux/arm_ffa.h +++ b/include/linux/arm_ffa.h @@ -445,7 +445,7 @@ ffa_mem_desc_offset(struct ffa_mem_region *buf, int cou= nt, u32 ffa_version) if (!FFA_MEM_REGION_HAS_EP_MEM_OFFSET(ffa_version)) offset +=3D offsetof(struct ffa_mem_region, ep_mem_offset); else - offset +=3D sizeof(struct ffa_mem_region); + offset +=3D buf->ep_mem_offset; =20 return offset; } --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Thu Jun 18 10:04:13 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0B264657C4 for ; Wed, 17 Jun 2026 14:51:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707910; cv=none; b=TaMpFVCLZjLPZUdc9f2HVW2Y3zVb4qNwRJlGdw2CyFHz4PWIJe4WPiruwsCDLEsLzdeSYwvBx6b4B9GHg+RlNajVhllni05HMN4QMfmyMhmWvWSvDAIlDGbZ2a7MEAI1e6/xAHGzbtKEE9dOMQ+8q4FmidgGHytvBzPb9fWwxDQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707910; c=relaxed/simple; bh=RYLphXY3qZrHLwVyATq2rz6ULfSNbmNMCCt4D1nRClw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=k2ueyi5Tvhw/eaVyusQmn9S+H6jTgeJ4rRTSBEOTryXOu71w1QHKIvphbXZdabcEtaEuBLL00pLiMgpH3BRtdYe5Jv5nBYFLfXkZdyueM8y7Om7jd7uRj+8LrhSNh3gXh0IprxAeT6X8KRazGX1G98WqoR+uBZwd7coXvNESgGk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=uHi+K1nL; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="uHi+K1nL" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-490a767c7dcso38131805e9.2 for ; Wed, 17 Jun 2026 07:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707907; x=1782312707; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=CQFj/8TPJyuneEGc/c18D84EbHbY3hzTyS99LAP/4do=; b=uHi+K1nLH7ImWQgVCW4E5prxD7zwtzVkGOZSWsJkW0o+oDohIEtX/XSohRwFNvfkGE GkUB9f9+FGFDdzI1xXAsbo/gNqFj3oAn7IgujlEom7t8XpJOCUUUfMEAP3mra2uvwGmA 0NYgva7bjR5IJbzlzPWeGLMHoXnqmNqKDcfG5daF0mB2BzULU9YN5fGcvimp/jQntsef qyYZjZYe8mKTmAFvWKxSuhPWzE3DltAf5rJmnpr6DhSEyklbgHJgss8tnBLVtWEz3IkG wYG7F/4fdK465eQLeWkXEdXKZq4Pv+3Hghb5m6ypvRulK2goBWBzlUvniFScLBtwVLTc azNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707907; x=1782312707; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CQFj/8TPJyuneEGc/c18D84EbHbY3hzTyS99LAP/4do=; b=rlnwkJIAfFmkm8eyMv3qShYoPt5eOGWqdqvAM+0knYgOWVl22i8hRZ7oPJuuoAqpGu b7VF1ppFzbOptYWxX5DR1ZzSBwO27NoIUU1SiSY7W1fH2vxEoTzhSyn3j5y4qzq9uEwQ /K10za06bG9c2xZhN1EScfQBYIIveFUU/rhdrY1etrAWNiG3EYgDHsP1DGBD03BTSSzy k+xe9AGfroTCC2SGSoO1IZJQfc6RNViNjrRTwojHrDCsms5fUsxD6rDAeEtTAoAn/KH+ Lv0ci7lKypd7DlRU8kJVl12AK/JaSTGVD4P3HJENqUwFstGVwXTY3KDa7bl9OoCOnqfN vSww== X-Forwarded-Encrypted: i=1; AFNElJ8qPfB+/kI//daKkVVjniSOak9VAkEYUirB1s2qIq4GPQqxNFiuEdUBQp+2x4eOdS6y6+Vrk4ozPZuVOUY=@vger.kernel.org X-Gm-Message-State: AOJu0YxZwfHE8t/CM1VR3nSeQwaCiMLcLAFaouiWJyQWx2wtdtTcWJBg ir9kBhFqXEVXNDviYF6dxi1ONT+ADlN7DWOvvJBzPw3za6JxzqaCBGz+QUvttX13vlM0G+toLz7 h9nP+FYxhacFZjkp/C8aTVDJMCagTyw== X-Received: from wmbju24.prod.google.com ([2002:a05:600c:56d8:b0:490:b18a:b4e2]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:828e:b0:492:2e7a:9ba7 with SMTP id 5b1f17b1804b1-4923339fca0mr74090555e9.3.1781707906450; Wed, 17 Jun 2026 07:51:46 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:27 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-5-sebastianene@google.com> Subject: [PATCH v7 4/7] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Mostafa Saleh Sashiko (locally) reports out of bound write possiblity if SPMD returns an invalid data. While SPMD is considered trusted, pKVM does some basic checks, for offset to be less than or equal len. However, that is incorrect as even if the offset is smaller than len pKVM can still access out of bound memory in the next ffa_host_unshare_ranges(). Split this check into 2: 1- Check that the fixed portion of the descriptor fits. 2- After getting reg, check the variable array size addr_range_cnt fits. Also, drop the WARN_ONs as that will panic the kernel and in the next checks there are no WARNs, so that makes it consistent. Fixes: 0a9f15fd5674 ("KVM: arm64: pkvm: Add support for fragmented FF-A des= criptors") Signed-off-by: Mostafa Saleh Signed-off-by: Sebastian Ene --- arch/arm64/kvm/hyp/nvhe/ffa.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1af722771178..2d211661952e 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -607,8 +607,8 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, * check that we end up with something that doesn't look _completely_ * bogus. */ - if (WARN_ON(offset > len || - fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) { + if (offset + CONSTITUENTS_OFFSET(0) > len || + fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) { ret =3D FFA_RET_ABORTED; ffa_rx_release(res); goto out_unlock; @@ -636,11 +636,17 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_r= egs *res, ffa_rx_release(res); } =20 + reg =3D (void *)buf + offset; + if (offset + CONSTITUENTS_OFFSET(reg->addr_range_cnt) > len) { + ret =3D FFA_RET_ABORTED; + ffa_rx_release(res); + goto out_unlock; + } + ffa_mem_reclaim(res, handle_lo, handle_hi, flags); if (res->a0 !=3D FFA_SUCCESS) goto out_unlock; =20 - reg =3D (void *)buf + offset; /* If the SPMD was happy, then we should be too. */ WARN_ON(ffa_host_unshare_ranges(reg->constituents, reg->addr_range_cnt)); --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Thu Jun 18 10:04:13 2026 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A9E9466B47 for ; Wed, 17 Jun 2026 14:51:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707913; cv=none; b=m9f60jx+ylCbZdbpwpzDT/WNHedr6pRU2zi0idcfwVPnBMOmeI2X7Eru1wefYTztEflrdqjFYzeubFo6ycOBJidiLhkOGRNU7uB5S6tT5kcz1rBfO121EqdLLw16VJ5TmKScnu/2hT41lcAQq/QCmpzOeCmoiW12KQ57Q6HBXbo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707913; c=relaxed/simple; bh=0Gnoj5mVkYvfotoTTL4oke5ZLGjP0C1k2XZl/76sd5A=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qTOedXHT6QWEKFSW2xPVOqM+PudTfYIMZFZ0d8/TnWgJ5eu10MwaXKh9D918pkloTbY0088OZZEgNRDse3xvnqJS/t4WaLWijf/25JW1LsxQ3o6x4SDEteyHrce9yUSmjBuZfSsbtIRFrfbhNvEZi3yTpTwZ3JOhHzW2/oRntFQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=u2hvVmvk; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="u2hvVmvk" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-4629f312a67so1056842f8f.2 for ; Wed, 17 Jun 2026 07:51:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707909; x=1782312709; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=qkRBbhHB4iuN7xSPIITChDuTjwYpXvbOBnslFsQsEpc=; b=u2hvVmvkiRnz7I8lIEyN9eYnApQ5JHXQcCdod097sN3hl1pTbWtx/EE0SrR3soItXy LA9urRrzpQXFkBrYaCkmEDzpfy3atmEZ77bfy0KNFL4dihqbJ1w5/of92ql+MCe7DVdT F+/mG+P2N7AyZtJ1srEB/2csRrkZhyPsZdxl4Xpbax93qJlW/O8VA6HSPgEsbggqghHP ArE1AfYUZshzSPrMrAM96/faJsxQsWhCOizfvO9xZwv+u3maujYXlDQJapGnrL+BCdNf JxPlUKtc0SEujUvrqn257SiSREvsfZQxCnhxp352Vbs3Qofq7W3PVwuc0DtZrgZU0uzt mI5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707909; x=1782312709; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qkRBbhHB4iuN7xSPIITChDuTjwYpXvbOBnslFsQsEpc=; b=rX6J3J1Qqmt5dw4bSVsCOlK1YeQHAaG1FqS0QH9l+bw4U90I78VejM+vuF6E8RvMQQ +y113HwZMzuclNiGXwG3dX0KznqbRc0y9NxQUA8FNAbJt5GuK/VGOLLXB+DDyxd2KMiw otOPMNtFaKpUPOQYCGVqTYrrPfUY63TueHd6v5+z9WMyF8qg+lc7NmLOEe+hd0vDELWR JxOPcgf3uhTBeesPpkq6S3+Cq/KNqv0Q7XfJsFMtUpdF5YukIMhGkBJLVUzc24QHWyBM Px+AskTHMR8uaB0+RGGPGeaowlTZpBD7t4J1mQp4OYEB3FCVXzncGjcJNJV29QCPK5Ae 1R+A== X-Forwarded-Encrypted: i=1; AFNElJ+TJYIWfrrmhwC0Y8QXevONk5vgGe5hD5xCob3OfHgraCgYaXffABO5j0NOdyNx+jshrmhJ7o6G/UdpbQ8=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7HkzHBmWqZ3IOhbobWG0OWRskE7RRFO8jg5CIEN6VvLp7JzCt NICBRqDe8ivYk5SxnvFj16z1r01G67M2pKJEjXE6B4y4O+XcZUnoowGqqw84GDHcKHKhVzeR//U 1snwYUNqCGiA40bq1wWRxwwU1+ynDcQ== X-Received: from wmbc22.prod.google.com ([2002:a7b:c016:0:b0:491:41a:40d4]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:37ce:b0:490:bd66:e526 with SMTP id 5b1f17b1804b1-49236791faemr29047845e9.32.1781707908701; Wed, 17 Jun 2026 07:51:48 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:28 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-6-sebastianene@google.com> Subject: [PATCH v7 5/7] KVM: arm64: Validate the offset to the mem access descriptor From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Prevent the pKVM hypervisor from making assumptions that the endpoint memory access descriptor (EMAD) comes right after the FF-A memory region header. Prior to FF-A version 1.1 the header of the memory region didn't contain an offset to the endpoint memory access descriptor. The layout of a memory transaction looks like this from 1.1 onward: Type | Field name | Offset [ Header | ffa_mem_region | 0 EMAD 1 | ffa_mem_region_attributes) | ffa_mem_region.ep_mem_offset ] Verify that the offset to the first endpoint memory access descriptor is within the mailbox buffer bounds. Also, fix one hardcoded sizeof(struct ffa_mem_region_attributes) that should be replaced ffa_emad_size_get() for compatibility with FFA v1.0. Fixes: 42fb33dde42b ("KVM: arm64: Use FF-A 1.1 with pKVM") Signed-off-by: Sebastian Ene Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 2d211661952e..1a2abd0154c6 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -476,11 +476,14 @@ static void __do_ffa_mem_xfer(const u64 func_id, DECLARE_REG(u32, fraglen, ctxt, 2); DECLARE_REG(u64, addr_mbz, ctxt, 3); DECLARE_REG(u32, npages_mbz, ctxt, 4); + u32 offset, nr_ranges, checked_offset, em_mem_access_off; struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges, checked_offset; int ret =3D 0; + size_t mem_region_len =3D !FFA_MEM_REGION_HAS_EP_MEM_OFFSET(hyp_ffa_versi= on) ? + offsetof(struct ffa_mem_region, ep_mem_offset) : + sizeof(struct ffa_mem_region); =20 if (addr_mbz || npages_mbz || fraglen > len || fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) { @@ -488,8 +491,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out; } =20 - if (fraglen < sizeof(struct ffa_mem_region) + - sizeof(struct ffa_mem_region_attributes)) { + if (fraglen < mem_region_len + ffa_emad_size_get(hyp_ffa_version)) { ret =3D FFA_RET_INVALID_PARAMETERS; goto out; } @@ -508,8 +510,13 @@ static void __do_ffa_mem_xfer(const u64 func_id, buf =3D hyp_buffers.tx; memcpy(buf, host_buffers.tx, fraglen); =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if ((u64)em_mem_access_off + ffa_emad_size_get(hyp_ffa_version) > fraglen= ) { + ret =3D FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; if (!offset || buf->ep_count !=3D 1 || buf->sender_id !=3D HOST_FFA_ID) { ret =3D FFA_RET_INVALID_PARAMETERS; @@ -574,9 +581,9 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, DECLARE_REG(u32, handle_lo, ctxt, 1); DECLARE_REG(u32, handle_hi, ctxt, 2); DECLARE_REG(u32, flags, ctxt, 3); + u32 offset, len, fraglen, fragoff, em_mem_access_off; struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; - u32 offset, len, fraglen, fragoff; struct ffa_mem_region *buf; int ret =3D 0; u64 handle; @@ -599,8 +606,14 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, len =3D res->a1; fraglen =3D res->a2; =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if ((u64)em_mem_access_off + ffa_emad_size_get(hyp_ffa_version) > fraglen= ) { + ret =3D FFA_RET_INVALID_PARAMETERS; + ffa_rx_release(res); + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; /* * We can trust the SPMD to get this right, but let's at least --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Thu Jun 18 10:04:13 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A0C24657C8 for ; Wed, 17 Jun 2026 14:51:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707914; cv=none; b=LkYAvtfs2kWtRNZAnGIr4kLc6eM5wRUUN5LBUpdTJox2FxYsaKhMfIENCJaKFfLoyJ9eqGw6COhK3aR3bunpF09RJbcfo+XQitWsgxiHqC37ULXjB2dcnQW/GIjctU0ka4JwR749bvFgbuezBtATeZqZysVxdLx4x/u7sZrvGYI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707914; c=relaxed/simple; bh=YPcdEz5k/hYGptLVZPb5hMmpS8SHy17Aj5bLXZLACHQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=KEaKPqvlC929uP1KShXHgakCEEm23hP1imK5rc6y1tIDqyK983TOV0aPJnsHbdxCP2QuPnUENT7JP55Gg7dnSXFSyTPt6Y2YL5md/0DWeqmazLngN770Vm4w2+lbQBLANgK4q7ql3h6/uk11WtPsm9aLUPWjZLtOQYkf+OCy6Lo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lWmgoxEi; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lWmgoxEi" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-490a060eb84so41413175e9.0 for ; Wed, 17 Jun 2026 07:51:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707911; x=1782312711; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Aw1QEoh+UiZ5XFZdVoOucXmJoUZRDixdHeCpCeuLYa8=; b=lWmgoxEi7wfhiSVTRaa5oMPDuuQkn/JhClU2ImusL3xMY5uCQxcH0T2ngsFAQ31kZF 4ViSeLf0/KVYncEtNkgTNbUwWVMoKzob2sbuW6OsWykMdKY7fA0CvbAKB4llLjDyxJLZ uA9Gyz2Abo6X8w0ZVKLB++qDRNVtaj07LxA/O7lAedAwDtsfoHdQkOib8bdUmHTvtcqz AKXPpjNnbKJQiYateRGj+4ce8P8S6Xeakyisjk7XpmS6ZfwIp1Vw6yqhziQvEjPzq4Nu omt96KD/3wMy28MzABZg70qJhXwG50WJ7h34AfrDvOQ2JwJUEknNX93aPZeYGOrn9tYq nz4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707911; x=1782312711; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Aw1QEoh+UiZ5XFZdVoOucXmJoUZRDixdHeCpCeuLYa8=; b=K0D864YWggRHvFiJzTRFya/jy/gaSyVv78bwYntm2Sa4X/HKx6mlkdnvMIYQWwwBOv wHXCPqJmFZ7M20szWKO9fbN7dveA1275tfPFyXW2zx1YVv/eAfm0Q27wJR1XABT4In+i tu7dylGjj4LXoW3kRQhZXpiMP8u4PmCjkLAu9rUPKcis4rCrtYAgtm+j9w1Tv+954l2g RcshwIgHb9ycsoiZQCdAOu4YlD7z2/Ji85MUHA6Wc2NfPNGkCU6pOTlvYhdp7WaRqbmF oWEgc0aPmzRuzZs+uyCO+Qcs8zmYXpvZ4ijmT38Agv2RFdYlaohJyqJqHB/tdQsCT6Uz Mu1A== X-Forwarded-Encrypted: i=1; AFNElJ+PXVGZIjQ3TPtKe227kfNSmd1y8NYOmsncndQHYxf2AkPH2Df/TwMbz6p6xV9ooMELmtZtWX6eluR8FaA=@vger.kernel.org X-Gm-Message-State: AOJu0YzfFr9Wg0y2qHfYFYQUjh534qUmuKg117LL+V0OGbHTxDa7jIU3 iiSEbm0RmPEZCEiOMxKR9DYRC3a6aC/HWGfGYxp+bK1mWUeCIp+clm7Dyw5PqbBaoUvg0p/XdPk 6D4OtqGexnVOINmmN5zPZGpzY85Thsw== X-Received: from wmxb4-n2.prod.google.com ([2002:a05:600d:8444:20b0:490:4477:50d3]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3148:b0:490:b5d0:598e with SMTP id 5b1f17b1804b1-4923412f0e7mr58923595e9.21.1781707910745; Wed, 17 Jun 2026 07:51:50 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:29 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-7-sebastianene@google.com> Subject: [PATCH v7 6/7] KVM: arm64: Ensure FFA ranges are page aligned From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Mostafa Saleh At the moment we only check that the size of the range is page aligned, and truncate the address to the page boundary. This make an assumption that TZ will do the same. However, it might decide to use the extra offset of the neighbour page at the end, which is valid under FFA if NS is using larger page size. Harden this check by also checking that the base address is aligned and reject it otherwise. Fixes: 436090001776 ("KVM: arm64: Handle FFA_MEM_SHARE calls from the host") Signed-off-by: Mostafa Saleh Signed-off-by: Sebastian Ene --- arch/arm64/kvm/hyp/nvhe/ffa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1a2abd0154c6..d7c5701d0584 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -352,7 +352,7 @@ static u32 __ffa_host_share_ranges(struct ffa_mem_regio= n_addr_range *ranges, u64 sz =3D (u64)range->pg_cnt * FFA_PAGE_SIZE; u64 pfn =3D hyp_phys_to_pfn(range->address); =20 - if (!PAGE_ALIGNED(sz)) + if (!PAGE_ALIGNED(sz | range->address)) break; =20 if (__pkvm_host_share_ffa(pfn, sz / PAGE_SIZE)) @@ -372,7 +372,7 @@ static u32 __ffa_host_unshare_ranges(struct ffa_mem_reg= ion_addr_range *ranges, u64 sz =3D (u64)range->pg_cnt * FFA_PAGE_SIZE; u64 pfn =3D hyp_phys_to_pfn(range->address); =20 - if (!PAGE_ALIGNED(sz)) + if (!PAGE_ALIGNED(sz | range->address)) break; =20 if (__pkvm_host_unshare_ffa(pfn, sz / PAGE_SIZE)) --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Thu Jun 18 10:04:13 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39FC0466B7B for ; Wed, 17 Jun 2026 14:51:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707916; cv=none; b=pqvmF/z2wRsQiJsrVvyP6lubo3x4ITXwReEbQNryontFH39lGIijc7Vyxw71rJ2O5EPtFIi6ADhkkH/tNgSpqHkb93IICmo4/Ew2RJ7x/5BS4D9mCA0aqEX4iZdZe6RjHQzJl1ZEe0jFPPpEBxuvY+ShdFQ8ZiPtigUaYNuOuPI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781707916; c=relaxed/simple; bh=ekF+EqAqxUIoNHacdJRxFOkqPmHLuXqzXJMGa52578E=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=cDEALruIsPTrlKnw2MXkPUys0yVZMqoOgXd4EFVOYEUEDLJw2qcov7PrLDniE7YQ2k5aPi3JNfzitK0oO44Gno0Gp+XlWg5j0DsTn/ggmm6z2zXMg7wuNNsr9O75ervbreNYdXJZL9f3iKVF2DR8KU8oNM9WwGKzfZ6KkRipijE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=m+V8PScY; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="m+V8PScY" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-490b93debc8so56618535e9.1 for ; Wed, 17 Jun 2026 07:51:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781707914; x=1782312714; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=y79oPW1dRkbvOFQ/8D6OY6Iq3f4xRjBQw7MgzYvcGaA=; b=m+V8PScYrVf71Q1YDsey36Zd2eT/rt7nHi3GNi2/wlYIdPZjMGDoGJ3AgVws5vRzNG DnifGZkc2AFewIy5HsRMKrF+0/xp0ffYpv5IAPx/5S3SY4j2SNvW1DEqTVpvRfqO1ubk wLfg+5jxG6MFCOFSxQmnOYCr1TIbDyEeTZYKE+pLyxBdqVZNFLgImJmJ6fATHCu1OzfL +nk1CIxkYWy8XDYcWwoUpRfww84G09hjx/j17Yh4y1oeALKCLG9tmyytXvJGttSkQcvr 55GBq9qV57kT++7J3w5m9vD0hz10hr9x1EYY1LmmEXC+SA7xeZeVJqzGT7uD3zNYFs8j mmWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781707914; x=1782312714; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y79oPW1dRkbvOFQ/8D6OY6Iq3f4xRjBQw7MgzYvcGaA=; b=p8kAGA3/jgs6qqE9nroZ1e/bkAfKGFuP/8zwYqY7GLlhrWSx/OXnxCqucmGNHUZ1kF GtlnyvK50Rb6KKEP6jq1+yHw8+/eM/n1NDUOrSboIRt3LZ0QYaf/HDBHhMxkiFnShLBx Yf8OwCLUgsnq2cp6MtvO4mzcOdSYlHpfElinmZ/WfQoXx/6Dc9w0QDxoQRXiYFBiE+IR NO/zFn2RVxTD3UZpqn8fkp+kTXV0G0mqYEvlCR4CUl0G9mtHI5JhPQkgdWgGTlSgkZf+ v/7SmzMB7KRreEh2uu+C6iyKsvBrzA8NJFjSFaun13qGY2TkxRiZSy5qzgWLl3LnEk0H Uvkg== X-Forwarded-Encrypted: i=1; AFNElJ9RqRSJyJiVI8eGFN8F1oeJlMQ3LoUyJlMg7fREEIwaUuKtJlj8HKLOMI7SThWrwa0ZiFF0WnbJh2lCtPc=@vger.kernel.org X-Gm-Message-State: AOJu0YxqOnO2TZAANJNokv6/5wnvBTS3qP3HH3NdJmpKJdMJHha++H8j lU9+4rHFEkCF6rzCGJH99rQtXKoDGm0SCP62X0na18+9sr5dbtxSMmUStc7NGBP+wdSAq6YoC4g KmW3mJ+NiFsVOnJVc/9KoEmzoAUT6fw== X-Received: from wmxb4-n2.prod.google.com ([2002:a05:600d:8444:20b0:490:4477:50d3]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:4743:b0:492:1e36:bb03 with SMTP id 5b1f17b1804b1-492333f829dmr72605705e9.36.1781707912951; Wed, 17 Jun 2026 07:51:52 -0700 (PDT) Date: Wed, 17 Jun 2026 14:51:30 +0000 In-Reply-To: <20260617145130.3729015-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260617145130.3729015-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260617145130.3729015-8-sebastianene@google.com> Subject: [PATCH v7 7/7] KVM: arm64: Zero out the stack initialized data in the FFA handler From: Sebastian Ene To: catalin.marinas@arm.com, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: jens.wiklander@linaro.org, joey.gouly@arm.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, maz@kernel.org, mrigendra.chaubey@gmail.com, op-tee@lists.trustedfirmware.org, perlarsen@google.com, sebastianene@google.com, seiden@linux.ibm.com, smostafa@google.com, sumit.garg@kernel.org, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com, Sashiko AI Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Don't leak hypervisor stack data when using the FFA_VERSION call. When the compiler doesn't support -ftrivial-auto-var-init=3Dzero option we need to zero out the stack initialized variable before returning data to the host caller. Reported-by: Sashiko AI Closes: https://lore.kernel.org/all/20260616160016.C62C81F000E9@smtp.kernel.org/ Fixes: c9c012625e12 ("KVM: arm64: Trap FFA_VERSION host call in pKVM") Signed-off-by: Sebastian Ene --- arch/arm64/kvm/hyp/nvhe/ffa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index d7c5701d0584..b321682ead04 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -883,7 +883,7 @@ static void do_ffa_part_get(struct arm_smccc_1_2_regs *= res, =20 bool kvm_host_ffa_handler(struct kvm_cpu_context *host_ctxt, u32 func_id) { - struct arm_smccc_1_2_regs res; + struct arm_smccc_1_2_regs res =3D {0}; =20 /* * There's no way we can tell what a non-standard SMC call might --=20 2.54.0.1136.gdb2ca164c4-goog