[PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[Arnd Bergmann]

From: Arnd Bergmann <arnd@arndb.de>

Copying to a 16 byte structure into an 8-byte struct member
causes a compile-time warning:

In file included from drivers/firmware/arm_ffa/driver.c:25:
In function 'fortify_memcpy_chk',
    inlined from 'export_uuid' at include/linux/uuid.h:88:2,
    inlined from 'ffa_msg_send_direct_req2' at drivers/firmware/arm_ffa/driver.c:488:2:
include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
  571 |                         __write_overflow_field(p_size_field, size);
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a union for the conversion instead and make sure the byte order
is fixed in the process.

Fixes: aaef3bc98129 ("firmware: arm_ffa: Add support for FFA_MSG_SEND_DIRECT_{REQ,RESP}2")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
Not sure how endianess is handled in the ABI, adding the conversion
seemed sensible here to allow big-endian kernels on a little-endian
firmware, but it's possible that ff-a is already required to do
the byte swapping in this case.
---
 drivers/firmware/arm_ffa/driver.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 4d231bc375e0..8dd81db9b071 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -481,11 +481,16 @@ static int ffa_msg_send_direct_req2(u16 src_id, u16 dst_id, const uuid_t *uuid,
 				    struct ffa_send_direct_data2 *data)
 {
 	u32 src_dst_ids = PACK_TARGET_INFO(src_id, dst_id);
+	union {
+		uuid_t uuid;
+		__le64 regs[2];
+	} uuid_regs = { .uuid = *uuid };
 	ffa_value_t ret, args = {
-		.a0 = FFA_MSG_SEND_DIRECT_REQ2, .a1 = src_dst_ids,
+		.a0 = FFA_MSG_SEND_DIRECT_REQ2,
+		.a1 = src_dst_ids,
+		.a2 = le64_to_cpu(uuid_regs.regs[0]),
+		.a3 = le64_to_cpu(uuid_regs.regs[1]),
 	};
-
-	export_uuid((u8 *)&args.a2, uuid);
 	memcpy((void *)&args + offsetof(ffa_value_t, a4), data, sizeof(*data));
 
 	invoke_ffa_fn(args, &ret);
-- 
2.39.2

[PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[Arnd Bergmann]

From: Arnd Bergmann <arnd@arndb.de>

Copying to a 16 byte structure into an 8-byte struct member
causes a compile-time warning:

In file included from drivers/firmware/arm_ffa/driver.c:25:
In function 'fortify_memcpy_chk',
    inlined from 'export_uuid' at include/linux/uuid.h:88:2,
    inlined from 'ffa_msg_send_direct_req2' at drivers/firmware/arm_ffa/driver.c:488:2:
include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
  571 |                         __write_overflow_field(p_size_field, size);
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a union for the conversion instead and make sure the byte order
is fixed in the process.

Fixes: aaef3bc98129 ("firmware: arm_ffa: Add support for FFA_MSG_SEND_DIRECT_{REQ,RESP}2")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
Not sure how endianess is handled in the ABI, adding the conversion
seemed sensible here to allow big-endian kernels on a little-endian
firmware, but it's possible that ff-a is already required to do
the byte swapping in this case.
---
 drivers/firmware/arm_ffa/driver.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 4d231bc375e0..8dd81db9b071 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -481,11 +481,16 @@ static int ffa_msg_send_direct_req2(u16 src_id, u16 dst_id, const uuid_t *uuid,
 				    struct ffa_send_direct_data2 *data)
 {
 	u32 src_dst_ids = PACK_TARGET_INFO(src_id, dst_id);
+	union {
+		uuid_t uuid;
+		__le64 regs[2];
+	} uuid_regs = { .uuid = *uuid };
 	ffa_value_t ret, args = {
-		.a0 = FFA_MSG_SEND_DIRECT_REQ2, .a1 = src_dst_ids,
+		.a0 = FFA_MSG_SEND_DIRECT_REQ2,
+		.a1 = src_dst_ids,
+		.a2 = le64_to_cpu(uuid_regs.regs[0]),
+		.a3 = le64_to_cpu(uuid_regs.regs[1]),
 	};
-
-	export_uuid((u8 *)&args.a2, uuid);
 	memcpy((void *)&args + offsetof(ffa_value_t, a4), data, sizeof(*data));
 
 	invoke_ffa_fn(args, &ret);
-- 
2.39.2

Re: [PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[Sudeep Holla]

On Mon, Sep 09, 2024 at 11:09:24AM +0000, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Copying to a 16 byte structure into an 8-byte struct member
> causes a compile-time warning:
> 
> In file included from drivers/firmware/arm_ffa/driver.c:25:
> In function 'fortify_memcpy_chk',
>     inlined from 'export_uuid' at include/linux/uuid.h:88:2,
>     inlined from 'ffa_msg_send_direct_req2' at drivers/firmware/arm_ffa/driver.c:488:2:
> include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
>   571 |                         __write_overflow_field(p_size_field, size);
>       |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Use a union for the conversion instead and make sure the byte order
> is fixed in the process.
> 

Thanks for spotting and fixing the issue. I tested enabling
CONFIG_FORTIFY_SOURCE but couldn't hit this with gcc 13 and clang 20

Also do you want this sent as fix on top of my FF-A PR now or after -rc1 ?

--
Regards,
Sudeep

Re: [PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[Arnd Bergmann]

On Wed, Sep 11, 2024, at 14:14, Sudeep Holla wrote:
> On Mon, Sep 09, 2024 at 11:09:24AM +0000, Arnd Bergmann wrote:
>> From: Arnd Bergmann <arnd@arndb.de>
>> 
>> Copying to a 16 byte structure into an 8-byte struct member
>> causes a compile-time warning:
>> 
>> In file included from drivers/firmware/arm_ffa/driver.c:25:
>> In function 'fortify_memcpy_chk',
>>     inlined from 'export_uuid' at include/linux/uuid.h:88:2,
>>     inlined from 'ffa_msg_send_direct_req2' at drivers/firmware/arm_ffa/driver.c:488:2:
>> include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
>>   571 |                         __write_overflow_field(p_size_field, size);
>>       |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> 
>> Use a union for the conversion instead and make sure the byte order
>> is fixed in the process.
>> 
>
> Thanks for spotting and fixing the issue. I tested enabling
> CONFIG_FORTIFY_SOURCE but couldn't hit this with gcc 13 and clang 20

Unfortunately I also don't have a reproducer at the moment,
but I know it was from a randconfig build with gcc-14.2. I tried
another few hundred randconfigs now with my patch reverted but it
didn't come back. I assume it only shows up in rare combinations
of some options,

Do you have any additional information on the endianess question?
Is this arm_ffa firmware code supposed to work with big-endian
kernels?

> Also do you want this sent as fix on top of my FF-A PR now or after -rc1 ?

Earlier would be better I think. I usually have one set of
bugfixes before rc1 even if it doesn't make it into the
first set of branches.

      Arnd

Re: [PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[Sudeep Holla]

On Wed, Sep 11, 2024 at 02:44:25PM +0000, Arnd Bergmann wrote:
> On Wed, Sep 11, 2024, at 14:14, Sudeep Holla wrote:
> > On Mon, Sep 09, 2024 at 11:09:24AM +0000, Arnd Bergmann wrote:
> >> From: Arnd Bergmann <arnd@arndb.de>
> >> 
> >> Copying to a 16 byte structure into an 8-byte struct member
> >> causes a compile-time warning:
> >> 
> >> In file included from drivers/firmware/arm_ffa/driver.c:25:
> >> In function 'fortify_memcpy_chk',
> >>     inlined from 'export_uuid' at include/linux/uuid.h:88:2,
> >>     inlined from 'ffa_msg_send_direct_req2' at drivers/firmware/arm_ffa/driver.c:488:2:
> >> include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> >>   571 |                         __write_overflow_field(p_size_field, size);
> >>       |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> 
> >> Use a union for the conversion instead and make sure the byte order
> >> is fixed in the process.
> >> 
> >
> > Thanks for spotting and fixing the issue. I tested enabling
> > CONFIG_FORTIFY_SOURCE but couldn't hit this with gcc 13 and clang 20
> 
> Unfortunately I also don't have a reproducer at the moment,
> but I know it was from a randconfig build with gcc-14.2. I tried
> another few hundred randconfigs now with my patch reverted but it
> didn't come back. I assume it only shows up in rare combinations
> of some options,
>

Oh OK.

> Do you have any additional information on the endianess question?
> Is this arm_ffa firmware code supposed to work with big-endian
> kernels?
>

I am trying to check if that is a requirement. Also the specification
doesn't have any specific mention about it. Since it executes on the same
AP cores as Linux in different EL, I assume the entire stack must be
running same endian-ness. I will check internally. Unlike SCMI, I haven't
tested FF-A with big-endian kernel so far.

> > Also do you want this sent as fix on top of my FF-A PR now or after -rc1 ?
> 
> Earlier would be better I think. I usually have one set of
> bugfixes before rc1 even if it doesn't make it into the
> first set of branches.
>

I will try to send earlier unless this endian-ness triggers more questions.
I will update here anyways.

-- 
Regards,
Sudeep

Re: [PATCH] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()

[Sudeep Holla]

On Mon, 09 Sep 2024 11:09:24 +0000, Arnd Bergmann wrote:
> Copying to a 16 byte structure into an 8-byte struct member
> causes a compile-time warning:
> 
> In file included from drivers/firmware/arm_ffa/driver.c:25:
> In function 'fortify_memcpy_chk',
>     inlined from 'export_uuid' at include/linux/uuid.h:88:2,
>     inlined from 'ffa_msg_send_direct_req2' at drivers/firmware/arm_ffa/driver.c:488:2:
> include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
>   571 |                         __write_overflow_field(p_size_field, size);
>       |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> [...]

Sorry for the delay, was trying to see if I can test BE kernel and see if
it needs more fixing. The spec does require all memory region to be LE.
I will do that later, for now I am pulling this as fix for v6.12

Applied to sudeep.holla/linux (for-next/ffa/fixes), thanks!

[1/1] firmware: arm_ffa: avoid string-fortify warningn in export_uuid()
      https://git.kernel.org/sudeep.holla/c/629253b2f6d7
--
Regards,
Sudeep