* [PATCH -next] firmware: imx: secure-enclave: avoid casting userspace pointers
@ 2026-05-07 6:54 Pankaj Gupta
0 siblings, 0 replies; only message in thread
From: Pankaj Gupta @ 2026-05-07 6:54 UTC (permalink / raw)
To: linux-kernel; +Cc: frank.li, imx, Pankaj Gupta, kernel test robot
Sparse reports warnings where userspace pointers are cast to kernel
pointers, dropping the '__user' address space annotation.
In the ioctl and write paths, the transmit message header was validated
by casting userspace buffers directly to struct se_msg_hdr. Fix this by
validating the header using the kernel copy obtained via memdup_user()
instead.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202605062306.sx2OL0Ul-lkp@intel.com/
Fixes: 4de71839142b ("firmware: drivers: imx: adds miscdev")
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
drivers/firmware/imx/se_ctrl.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 2ba0a6988a39..d2f7780054a3 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -532,19 +532,6 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
return -ENOSPC;
}
- err = se_chk_tx_msg_hdr(priv, (struct se_msg_hdr *)cmd_snd_rcv_rsp_info.tx_buf);
- if (err) {
- se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
- return err;
- }
-
- struct se_api_msg *rx_msg __free(kfree) =
- kzalloc(cmd_snd_rcv_rsp_info.rx_buf_sz, GFP_KERNEL);
- if (!rx_msg) {
- se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
- return -ENOMEM;
- }
-
struct se_api_msg *tx_msg __free(kfree) =
memdup_user(cmd_snd_rcv_rsp_info.tx_buf,
cmd_snd_rcv_rsp_info.tx_buf_sz);
@@ -554,6 +541,12 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
return err;
}
+ err = se_chk_tx_msg_hdr(priv, &tx_msg->header);
+ if (err) {
+ se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
+ return err;
+ }
+
if (tx_msg->header.tag != priv->if_defs->cmd_tag) {
se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
return -EINVAL;
@@ -570,6 +563,13 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
}
set_se_rcv_msg_timeout(priv, SE_RCV_MSG_LONG_TIMEOUT);
+ struct se_api_msg *rx_msg __free(kfree) =
+ kzalloc(cmd_snd_rcv_rsp_info.rx_buf_sz, GFP_KERNEL);
+ if (!rx_msg) {
+ se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
+ return -ENOMEM;
+ }
+
err = ele_msg_send_rcv(dev_ctx, tx_msg, cmd_snd_rcv_rsp_info.tx_buf_sz,
rx_msg, cmd_snd_rcv_rsp_info.rx_buf_sz);
if (err < 0) {
@@ -759,10 +759,6 @@ static ssize_t se_if_fops_write(struct file *fp, const char __user *buf,
if (dev_ctx != priv->cmd_receiver_clbk_hdl.dev_ctx)
return -EINVAL;
- err = se_chk_tx_msg_hdr(priv, (struct se_msg_hdr *)buf);
- if (err)
- return err;
-
if (size < SE_MU_HDR_SZ) {
dev_err(priv->dev, "%s: User buffer too small(%zu < %d).",
dev_ctx->devname, size, SE_MU_HDR_SZ);
@@ -773,6 +769,10 @@ static ssize_t se_if_fops_write(struct file *fp, const char __user *buf,
if (IS_ERR(tx_msg))
return PTR_ERR(tx_msg);
+ err = se_chk_tx_msg_hdr(priv, &tx_msg->header);
+ if (err)
+ return err;
+
print_hex_dump_debug("from user ", DUMP_PREFIX_OFFSET, 4, 4,
tx_msg, size, false);
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-07 6:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-07 6:54 [PATCH -next] firmware: imx: secure-enclave: avoid casting userspace pointers Pankaj Gupta
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox