From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AFCA3AB291
	for <linux-kernel@vger.kernel.org>; Thu, 23 Apr 2026 17:23:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776965038; cv=none; b=gTmMkYXlVzBnbWZg1Eoz8SJZBwTr/TYRamYomgd2Uu2Ktpmq97Oxgg7oQyFTaeEn/Xt3Act+3x254NRZdvak9EPKT8dk4rabct3Qxjzz7Oiywo0v62Wu6RqeKAJr+cWXatV83idwq9sQkejYF/oyqR+bFgl8b5cO9Nku+MYBnVs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776965038; c=relaxed/simple;
	bh=opSPYP8vrEcfC+ep0LCq7BxX+8CG6gyOiB90BHHWtWs=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc; b=kscE0RAa51KCBxn80VfxCmWSIXHd/pSVsUQi9wv3zZP6jm8Gk1mbGqd6uqXN+Z7Wi3i+d5Oai6rqoHRhNIEhMtjMtmYEAn9Bug0Evb10yt92uQErvs61zVjUzMEy2CYhnAffB1IAmxqdpEgfkyznY50j6qp8CIx3nfxGppnVG1w=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tYfsUpPT; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tYfsUpPT"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3892BC2BCB4;
	Thu, 23 Apr 2026 17:23:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1776965037;
	bh=opSPYP8vrEcfC+ep0LCq7BxX+8CG6gyOiB90BHHWtWs=;
	h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
	b=tYfsUpPTQkS3+AvZMTyXpSb5X0BnxIuTVqgw3TuZhQrNB+AcjNIe8THmB9w76FwK1
	 255MCs1y5iLIiarhivH1t0rlHbvxUzXWPl5PIkXjV6Uxixl7NBBAOFD6glnrD3sv29
	 2zx6M4omFLg8axTsvFs6f33aT+uJSVotkZk+KucSeEthsMj7z7QJBFvF0fMUFSTDzL
	 IikkI5V4PbIVF7xj6clTEt56lQwnihoJ8dyIAVupDv796MzXie8urYVqx9EN3l7/Zr
	 zGhvwyC6uqIbsr58txQEBiXX92laYk6JH3Q9F9ZS1sFE7+4C3p50Dcbtd3CKO+58+H
	 aQ3m/LJZ64WyA==
From: Sudeep Holla <sudeep.holla@kernel.org>
Date: Thu, 23 Apr 2026 18:22:58 +0100
Subject: [PATCH 8/8] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS
 copies
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20260423-ffa_fixes-v1-8-61189661affe@kernel.org>
References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org>
In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org>
To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Cc: Jens Wiklander <jens.wiklander@linaro.org>, 
 Sudeep Holla <sudeep.holla@kernel.org>
X-Mailer: b4 0.15.2

The register-based PARTITION_INFO_GET path trusted the firmware-provided
indices when copying partition descriptors into the caller buffer.
Reject inconsistent counts or index progressions so the copy loop cannot
write past the allocated array.

Fixes: ba85c644ac8d ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS")
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/firmware/arm_ffa/driver.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 40ade6edcf33..4bb86eb721cd 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -336,7 +336,7 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
 
 	do {
 		__le64 *regs;
-		int idx;
+		int idx, nr_desc, buf_idx;
 
 		start_idx = prev_idx ? prev_idx + 1 : 0;
 
@@ -354,15 +354,25 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
 			count = PARTITION_COUNT(partition_info.a2);
 		if (!buffer || !num_parts) /* count only */
 			return count;
+		if (count > num_parts)
+			return -EINVAL;
 
 		cur_idx = CURRENT_INDEX(partition_info.a2);
+		if (cur_idx < start_idx || cur_idx >= count)
+			return -EINVAL;
+
+		nr_desc = cur_idx - start_idx + 1;
+		buf_idx = buf - buffer;
+		if (buf_idx + nr_desc > num_parts)
+			return -EINVAL;
+
 		tag = UUID_INFO_TAG(partition_info.a2);
 		buf_sz = PARTITION_INFO_SZ(partition_info.a2);
 		if (buf_sz > sizeof(*buffer))
 			buf_sz = sizeof(*buffer);
 
 		regs = (void *)&partition_info.a3;
-		for (idx = 0; idx < cur_idx - start_idx + 1; idx++, buf++) {
+		for (idx = 0; idx < nr_desc; idx++, buf++) {
 			union {
 				uuid_t uuid;
 				u64 regs[2];

-- 
2.43.0