[for 24.04_linux-nvidia-6.17-next]: backport FF-A partition info descriptor size fix from linux-next#436
Closed
jamieNguyenNVIDIA wants to merge 2 commits into
Conversation
The register-based PARTITION_INFO_GET path trusted the firmware-provided indices when copying partition descriptors into the caller buffer. Reject inconsistent counts or index progressions so the copy loop cannot write past the allocated array. Fixes: ba85c64 ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS") Link: https://patch.msgid.link/20260428-ffa_fixes-v2-6-8595ae450034@kernel.org (fixed cur_idx when exactly one descriptor in the first fragment) Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org> (cherry picked from commit 3974ea1) Signed-off-by: Jamie Nguyen <jamien@nvidia.com>
FFA_PARTITION_INFO_GET_REGS reports the size of each partition information descriptor in x2[63:48]. However, __ffa_partition_info_get_regs() walks the returned register payload with a hardcoded 24-byte stride (regs += 3), even though the size is already read into buf_sz. That works for the FF-A v1.1/v1.2 24-byte descriptor layout, where each descriptor consumes three registers. Newer FF-A revisions can extend the descriptor while keeping the existing fields at the front. For example, a 48-byte descriptor consumes six registers, so advancing by only three registers desynchronises the parser and can make it read subsequent entries from the middle of a descriptor. Use the advertised descriptor size to derive the register stride. Validate that the size is register-aligned, large enough for the fields parsed by the driver, and that the requested number of descriptors fits in the returned x3..x17 register window. The driver still copies only the fields it understands, but now skips over any trailing descriptor fields correctly. Fixes: ba85c64 ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS") Suggested-by: Sudeep Holla <sudeep.holla@kernel.org> Signed-off-by: Jamie Nguyen <jamien@nvidia.com> Link: https://patch.msgid.link/20260518203116.42624-1-jamien@nvidia.com (sudeep.holla: Minor rewordng of the commit message and subject) Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org> (backported from commit 01b9cae linux-next) Signed-off-by: Jamie Nguyen <jamien@nvidia.com>
Collaborator
Boro watcher review skippedThe GitHub watcher skips automatic boro reviews for PRs with more than 50 commits. This PR currently has 100 commits. To run the review anyway, ask Head: This comment is maintained by nv-pr-bot. It is updated when the GitHub watcher sees a newer PR head. |
jamieNguyenNVIDIA
force-pushed
the
jamien/617-ffa-descriptor-size
branch
from
8507aac to
8868c5d
Compare
Contributor
PR Validation ReportPatchscan ✅ No Missing FixesAll cherry-picked commits checked — no missing upstream fixes found. PR Lint ❌ Errors foundDetailsChecking 2 commits...
Cherry-pick digest:
┌──────────────┬──────────────────────────────────────────────────────────────────┬────────────┬─────────┬───────────────────────────┐
│ Local │ Referenced upstream / Patch subject │ Patch-ID │ Subject │ SoB chain │
├──────────────┼──────────────────────────────────────────────────────────────────┼────────────┼─────────┼───────────────────────────┤
│ 8868c5d68ff4 │ [SAUCE] firmware: arm_ffa: honor partition info descriptor size │ N/A │ N/A │ jamien, holla, jamien │
├──────────────┼──────────────────────────────────────────────────────────────────┼────────────┼─────────┼───────────────────────────┤
│ 227c3405f437 │ 3974ea193840 firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS co │ match │ match │ preserved + jamien added │
└──────────────┴──────────────────────────────────────────────────────────────────┴────────────┴─────────┴───────────────────────────┘
Lint results:
E: 8868c5d68ff4 ("firmware: arm_ffa: Honor partition info descriptor"): not SAUCE/UBUNTU/Revert but has no upstream reference trailer (cherry picked from commit ... or backported from ...)
|
Collaborator
Boro reviewLatest watcher review: open review Head: This comment is maintained by nv-pr-bot. It is updated when the GitHub watcher publishes a newer review. |
sforshee
reviewed
May 22, 2026
Collaborator
sforshee
left a comment
sforshee
left a comment
There was a problem hiding this comment.
Backports match upstream patches, everything looks to be annotated correctly.
Acked-by: Seth Forshee <sforshee@nvidia.com>
clsotog
approved these changes
May 22, 2026
Collaborator
clsotog
left a comment
clsotog
left a comment
There was a problem hiding this comment.
Acked-by: Carol L Soto <csoto@nvidia.com>
Collaborator
|
|
Collaborator
|
Merged, closing PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backport FF-A driver fix to
24.04_linux-nvidia-6.17-next:3974ea1938406f9bfa7c1f48d4e43533f447bb08(Sudeep Holla). Bounds-checks the firmware-provided indices in the register-based PARTITION_INFO_GET path so the copy loop cannot write past the caller buffer. Required as a prerequisite for the second patch.01b9cae706161a39452a2cce0f281d4369344c51(Jamie Nguyen, via Sudeep Holla's tree). Makes__ffa_partition_info_get_regs()use the SPMC-advertised per-descriptor size as the register stride instead of the hardcoded 24-byte (regs += 3) value. Without this, an FF-A v1.3 SPMC returning the 48-byte descriptor desyncs the parser, causing every other entry to be read from a slice of two adjacent ones.The former is taken as a dependency so that the latter applies cleanly.
Upstream references:
LP: https://bugs.launchpad.net/ubuntu/+source/linux-nvidia-7.0/+bug/2154045