From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED3A131A567
	for <linux-kernel@vger.kernel.org>; Thu, 23 Apr 2026 17:23:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776965034; cv=none; b=k7PV8zLCjBndx+JU4QmEYVgxZ6k+La2KKKnmSwn7Ykhtbal5af+AIdheBG8ZeaOS8HQ8fVm8WZ1o6fQLk3wLx/fBOlB5lFwWb5825qHda5b3r4S02y0XXfOK39sBDwWWD5orza7WKt8p3Pk/3VVznQLNBHo5gr6Ugq2Ti3QobYY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776965034; c=relaxed/simple;
	bh=+yGV+FJC4L0WAgipLE4zNhiVdIllPsS497DhNi03mkc=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc; b=TArYHyHMGciJ87ypRhkYORcxLZ/a8ELo2jmG2p5BLehCnTGpPCBtGQ6iOqUIVaDYINH8rkYDJurCrXbkjopPQr1nA5AP8aUoWhysM/T1UuOW6SspOh2YeZL+ZHRby2jFMgZXf9GmoFfL1kTOXQBK27RgfHkmatU0lyeMfxQT/YE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jvAXMPNd; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jvAXMPNd"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9F15C2BCAF;
	Thu, 23 Apr 2026 17:23:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1776965033;
	bh=+yGV+FJC4L0WAgipLE4zNhiVdIllPsS497DhNi03mkc=;
	h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
	b=jvAXMPNdhyz1hMYVHgljosCvAFReQtMoiJT5kDmXgq105o6ti/nBOefIXzqggW7FN
	 I/0RvheNAJsDv6s7JIE1lSELYKQ5gkGMPDNMIIX8YbDxCXt4HIq/5k/lzHJ6KYHGFe
	 29VzVvwZgK/l2W94wG/LBS5vGhG9k3e3NzGNmLc8XOu10h16yo3X9AmyQYUJBz/bRM
	 qEJZfELjtApvBHtMS7s1rFjh0zxU61MNKVKZj7SmWJYSn9PfmAGLUUdPfyQ3T9qZUi
	 dgN7gADfkZ+Pu0mJ3ZTsKjgHCO8JLUUVkTBphsAesnAIUT0cM4uIk/3+39jBGgW23r
	 WBYrqQ4JVtPsw==
From: Sudeep Holla <sudeep.holla@kernel.org>
Date: Thu, 23 Apr 2026 18:22:54 +0100
Subject: [PATCH 4/8] firmware: arm_ffa: Fix Rx buffer release in fwk
 notification handler
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20260423-ffa_fixes-v1-4-61189661affe@kernel.org>
References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org>
In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org>
To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Cc: Jens Wiklander <jens.wiklander@linaro.org>, 
 Sudeep Holla <sudeep.holla@kernel.org>
X-Mailer: b4 0.15.2

Refactor handle_fwk_notif_callbacks() so that all exit paths funnel
through a single FFA_RX_RELEASE call. While doing that, use scoped_guard()
for the Rx buffer lock and keep the message parsing under the lock scope.

This makes the Rx buffer release explicit for the kmemdup() failure path
and for the early exit when the framework notification bit is not set.

This will ensure the Rx buffer is always release in the framework
notification handler.

Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework notifications")
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/firmware/arm_ffa/driver.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 4dec7ca52f8c..764cb1226182 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1472,25 +1472,21 @@ static void handle_fwk_notif_callbacks(u32 bitmap)
 
 	/* Only one framework notification defined and supported for now */
 	if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL))
-		return;
+		goto release_rx;
 
-	mutex_lock(&drv_info->rx_lock);
+	scoped_guard(mutex, &drv_info->rx_lock) {
+		msg = drv_info->rx_buffer;
+		buf = kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL);
+		if (!buf)
+			goto release_rx;
 
-	msg = drv_info->rx_buffer;
-	buf = kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL);
-	if (!buf) {
-		mutex_unlock(&drv_info->rx_lock);
-		return;
+		target = SENDER_ID(msg->send_recv_id);
+		if (msg->offset >= sizeof(*msg))
+			uuid_copy(&uuid, &msg->uuid);
+		else
+			uuid_copy(&uuid, &uuid_null);
 	}
 
-	target = SENDER_ID(msg->send_recv_id);
-	if (msg->offset >= sizeof(*msg))
-		uuid_copy(&uuid, &msg->uuid);
-	else
-		uuid_copy(&uuid, &uuid_null);
-
-	mutex_unlock(&drv_info->rx_lock);
-
 	ffa_rx_release();
 
 	read_lock(&drv_info->notify_lock);
@@ -1500,6 +1496,11 @@ static void handle_fwk_notif_callbacks(u32 bitmap)
 	if (cb_info && cb_info->fwk_cb)
 		cb_info->fwk_cb(notify_id, cb_info->cb_data, buf);
 	kfree(buf);
+
+	return;
+
+release_rx:
+	ffa_rx_release();
 }
 
 static void notif_get_and_handle(void *cb_data)

-- 
2.43.0