Re: [PATCH v7 6/7] KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Sebastian Ene" <sebastianene@google.com>
Cc: "Marc Zyngier" <maz@kernel.org>,
	kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH v7 6/7] KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler
Date: Mon, 29 Jun 2026 12:46:17 +0000	[thread overview]
Message-ID: <20260629124618.38FC81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629093558.2425257-7-sebastianene@google.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [Critical] Passing through FFA_NOTIFICATION_INFO_GET without RX buffer proxying or locking causes memory corruption and DoS.

Pre-existing issues:
- [High] Missing masking of unsupported optional FF-A 1.1/1.2 interfaces (e.g., FFA_MSG_SEND2) leads to hypervisor information leaks.
--

commit a13e0f442f3327dcf7e9cad61d255528a3a9dd89
Author: Sebastian Ene <sebastianene@google.com>

KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler

This patch allows the host to send FF-A notification queries to Trustzone and
proxy these messages from pKVM.

> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> @@ -678,8 +678,6 @@ static bool ffa_call_supported(u64 func_id)
>  	case FFA_RXTX_MAP:
>  	case FFA_MEM_DONATE:
>  	case FFA_MEM_RETRIEVE_REQ:
> -       /* Optional notification interfaces added in FF-A 1.1 */
> -	case FFA_NOTIFICATION_INFO_GET:
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[Severity: Critical]
Does removing this from the block list allow the call to pass directly
to EL3 without acquiring host_buffers.lock?

Under the FF-A 1.1 specification, if the endpoints list exceeds register
capacity, EL3 writes it to the caller's (EL2's) RX buffer (hyp_buffers.rx).

If this happens concurrently with do_ffa_mem_reclaim() running on another CPU,
could this un-locked write corrupt the buffer during parsing?

Also, since EL2 does not intercept this to proxy the data or issue an
FFA_RX_RELEASE, will hyp_buffers.rx be left permanently marked 'Full' by EL3,
causing subsequent hypercalls requiring the RX buffer to fail?

[Severity: High]
This is a pre-existing issue, but are we missing masking for other optional
FF-A 1.1/1.2 interfaces like FFA_MSG_SEND2, FFA_RX_ACQUIRE, and
FFA_MEM_PERM_GET here in ffa_call_supported()?

If FFA_MSG_SEND2 passes through to EL3, EL3 will read the message payload
from EL2's TX buffer (hyp_buffers.tx).

Since EL2 does not proxy this call or populate the TX buffer with the host's
data, could EL3 end up sending uninitialized or stale hypervisor memory
(such as previous memory sharing descriptors) to the destination partition?

>  	/* Optional interfaces added in FF-A 1.2 */
>  	case FFA_MSG_SEND_DIRECT_REQ2:		/* Optional per 7.5.1 */
>  	case FFA_MSG_SEND_DIRECT_RESP2:		/* Optional per 7.5.1 */

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629093558.2425257-1-sebastianene@google.com?part=6

next prev parent reply	other threads:[~2026-06-29 12:46 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  9:35 [PATCH v7 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone Sebastian Ene
2026-06-29  9:35 ` [PATCH v7 1/7] KVM: arm64: Forward FFA_NOTIFICATION_BITMAP calls to Trustzone Sebastian Ene
2026-06-29  9:35 ` [PATCH v7 2/7] KVM: arm64: Support FFA_NOTIFICATION_BIND in host handler Sebastian Ene
2026-06-29  9:35 ` [PATCH v7 3/7] KVM: arm64: Support FFA_NOTIFICATION_UNBIND " Sebastian Ene
2026-06-29 10:16   ` sashiko-bot
2026-06-29  9:35 ` [PATCH v7 4/7] KVM: arm64: Support FFA_NOTIFICATION_SET " Sebastian Ene
2026-06-29 10:25   ` sashiko-bot
2026-06-29  9:35 ` [PATCH v7 5/7] KVM: arm64: Support FFA_NOTIFICATION_GET " Sebastian Ene
2026-06-29  9:35 ` [PATCH v7 6/7] KVM: arm64: Support FFA_NOTIFICATION_INFO_GET " Sebastian Ene
2026-06-29 12:46   ` sashiko-bot [this message]
2026-06-29  9:35 ` [PATCH v7 7/7] KVM: arm64: Enforce strict SBZ checks in the FF-A proxy Sebastian Ene
2026-06-29 12:58   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629124618.38FC81F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=kvmarm@lists.linux.dev \
    --cc=maz@kernel.org \
    --cc=oupton@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=sebastianene@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.