* FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 6.6-stable tree @ 2025-11-24 10:52 gregkh 2025-11-24 14:11 ` [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share Sasha Levin 0 siblings, 1 reply; 7+ messages in thread From: gregkh @ 2025-11-24 10:52 UTC (permalink / raw) To: sebastianene, maz, will; +Cc: stable The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 103e17aac09cdd358133f9e00998b75d6c1f1518 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2025112429-pasture-geometry-591b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 From: Sebastian Ene <sebastianene@google.com> Date: Fri, 17 Oct 2025 07:57:10 +0000 Subject: [PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene@google.com> Acked-by: Will Deacon <will@kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz@kernel.org> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 4e16f9b96f63..58b7d0c477d7 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; } ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share 2025-11-24 10:52 FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 6.6-stable tree gregkh @ 2025-11-24 14:11 ` Sasha Levin 2025-11-24 14:50 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Sasha Levin @ 2025-11-24 14:11 UTC (permalink / raw) To: stable; +Cc: Sebastian Ene, Will Deacon, Marc Zyngier, Sasha Levin From: Sebastian Ene <sebastianene@google.com> [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ] Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene@google.com> Acked-by: Will Deacon <will@kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 8d21ab904f1a9..eacf4ba1d88e9 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, DECLARE_REG(u32, npages_mbz, ctxt, 4); struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; } -- 2.51.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share 2025-11-24 14:11 ` [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share Sasha Levin @ 2025-11-24 14:50 ` Greg KH 2025-11-24 15:00 ` Sebastian Ene 0 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2025-11-24 14:50 UTC (permalink / raw) To: Sasha Levin; +Cc: stable, Sebastian Ene, Will Deacon, Marc Zyngier On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote: > From: Sebastian Ene <sebastianene@google.com> > > [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ] > > Verify the offset to prevent OOB access in the hypervisor > FF-A buffer in case an untrusted large enough value > [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] > is set from the host kernel. > > Signed-off-by: Sebastian Ene <sebastianene@google.com> > Acked-by: Will Deacon <will@kernel.org> > Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com > Signed-off-by: Marc Zyngier <maz@kernel.org> > Signed-off-by: Sasha Levin <sashal@kernel.org> > --- > arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c > index 8d21ab904f1a9..eacf4ba1d88e9 100644 > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c > @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, > DECLARE_REG(u32, npages_mbz, ctxt, 4); > struct ffa_composite_mem_region *reg; > struct ffa_mem_region *buf; > - u32 offset, nr_ranges; > + u32 offset, nr_ranges, checked_offset; > int ret = 0; > > if (addr_mbz || npages_mbz || fraglen > len || > @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, > goto out_unlock; > } > > - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { > + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } I was told that a "straight" backport like this was not correct, so we need a "better" one :( Sebastian, can you provide the correct backport for 6.6.y please? thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share 2025-11-24 14:50 ` Greg KH @ 2025-11-24 15:00 ` Sebastian Ene 2025-11-24 15:19 ` Sasha Levin 2025-11-24 15:56 ` Greg KH 0 siblings, 2 replies; 7+ messages in thread From: Sebastian Ene @ 2025-11-24 15:00 UTC (permalink / raw) To: Greg KH; +Cc: Sasha Levin, stable, Will Deacon, Marc Zyngier On Mon, Nov 24, 2025 at 03:50:45PM +0100, Greg KH wrote: > On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote: > > From: Sebastian Ene <sebastianene@google.com> > > > > [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ] > > > > Verify the offset to prevent OOB access in the hypervisor > > FF-A buffer in case an untrusted large enough value > > [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] > > is set from the host kernel. > > > > Signed-off-by: Sebastian Ene <sebastianene@google.com> > > Acked-by: Will Deacon <will@kernel.org> > > Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com > > Signed-off-by: Marc Zyngier <maz@kernel.org> > > Signed-off-by: Sasha Levin <sashal@kernel.org> > > --- > > arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c > > index 8d21ab904f1a9..eacf4ba1d88e9 100644 > > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c > > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c > > @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, > > DECLARE_REG(u32, npages_mbz, ctxt, 4); > > struct ffa_composite_mem_region *reg; > > struct ffa_mem_region *buf; > > - u32 offset, nr_ranges; > > + u32 offset, nr_ranges, checked_offset; > > int ret = 0; > > > > if (addr_mbz || npages_mbz || fraglen > len || > > @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, > > goto out_unlock; > > } > > > > - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { > > + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out_unlock; > > + } hello Greg, > > I was told that a "straight" backport like this was not correct, so we > need a "better" one :( > > Sebastian, can you provide the correct backport for 6.6.y please? > I think Sasha's patch is doing the right thing. Sasha thanks for posting it so fast. I looked up the other faild patches on stable and the reason why the patch doesn't apply is because we don't have the FF-A proxy inthe following versions: - 5.4, 5.10, 5.15, 6.1 > thanks, > > greg k-h thanks, Sebastian ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share 2025-11-24 15:00 ` Sebastian Ene @ 2025-11-24 15:19 ` Sasha Levin 2025-11-24 15:56 ` Greg KH 1 sibling, 0 replies; 7+ messages in thread From: Sasha Levin @ 2025-11-24 15:19 UTC (permalink / raw) To: Sebastian Ene; +Cc: Greg KH, stable, Will Deacon, Marc Zyngier On Mon, Nov 24, 2025 at 03:00:00PM +0000, Sebastian Ene wrote: >On Mon, Nov 24, 2025 at 03:50:45PM +0100, Greg KH wrote: >> On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote: >> > From: Sebastian Ene <sebastianene@google.com> >> > >> > [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ] >> > >> > Verify the offset to prevent OOB access in the hypervisor >> > FF-A buffer in case an untrusted large enough value >> > [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] >> > is set from the host kernel. >> > >> > Signed-off-by: Sebastian Ene <sebastianene@google.com> >> > Acked-by: Will Deacon <will@kernel.org> >> > Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com >> > Signed-off-by: Marc Zyngier <maz@kernel.org> >> > Signed-off-by: Sasha Levin <sashal@kernel.org> >> > --- >> > arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- >> > 1 file changed, 7 insertions(+), 2 deletions(-) >> > >> > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c >> > index 8d21ab904f1a9..eacf4ba1d88e9 100644 >> > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c >> > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c >> > @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, >> > DECLARE_REG(u32, npages_mbz, ctxt, 4); >> > struct ffa_composite_mem_region *reg; >> > struct ffa_mem_region *buf; >> > - u32 offset, nr_ranges; >> > + u32 offset, nr_ranges, checked_offset; >> > int ret = 0; >> > >> > if (addr_mbz || npages_mbz || fraglen > len || >> > @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, >> > goto out_unlock; >> > } >> > >> > - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { >> > + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { >> > + ret = FFA_RET_INVALID_PARAMETERS; >> > + goto out_unlock; >> > + } > >hello Greg, > >> >> I was told that a "straight" backport like this was not correct, so we >> need a "better" one :( >> >> Sebastian, can you provide the correct backport for 6.6.y please? >> > >I think Sasha's patch is doing the right thing. Sasha thanks for >posting it so fast. For the record, my patch just adjusted line numbers a bit, there were no conflicts. >I looked up the other faild patches on stable and the reason why the patch doesn't >apply is because we don't have the FF-A proxy inthe following versions: > - 5.4, 5.10, 5.15, 6.1 Right, I noticed that and assumed that this isn't needed on those older trees. -- Thanks, Sasha ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share 2025-11-24 15:00 ` Sebastian Ene 2025-11-24 15:19 ` Sasha Levin @ 2025-11-24 15:56 ` Greg KH 2025-11-24 19:53 ` Sebastian Ene 1 sibling, 1 reply; 7+ messages in thread From: Greg KH @ 2025-11-24 15:56 UTC (permalink / raw) To: Sebastian Ene; +Cc: Sasha Levin, stable, Will Deacon, Marc Zyngier On Mon, Nov 24, 2025 at 03:00:00PM +0000, Sebastian Ene wrote: > On Mon, Nov 24, 2025 at 03:50:45PM +0100, Greg KH wrote: > > On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote: > > > From: Sebastian Ene <sebastianene@google.com> > > > > > > [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ] > > > > > > Verify the offset to prevent OOB access in the hypervisor > > > FF-A buffer in case an untrusted large enough value > > > [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] > > > is set from the host kernel. > > > > > > Signed-off-by: Sebastian Ene <sebastianene@google.com> > > > Acked-by: Will Deacon <will@kernel.org> > > > Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com > > > Signed-off-by: Marc Zyngier <maz@kernel.org> > > > Signed-off-by: Sasha Levin <sashal@kernel.org> > > > --- > > > arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- > > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c > > > index 8d21ab904f1a9..eacf4ba1d88e9 100644 > > > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c > > > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c > > > @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, > > > DECLARE_REG(u32, npages_mbz, ctxt, 4); > > > struct ffa_composite_mem_region *reg; > > > struct ffa_mem_region *buf; > > > - u32 offset, nr_ranges; > > > + u32 offset, nr_ranges, checked_offset; > > > int ret = 0; > > > > > > if (addr_mbz || npages_mbz || fraglen > len || > > > @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, > > > goto out_unlock; > > > } > > > > > > - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { > > > + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { > > > + ret = FFA_RET_INVALID_PARAMETERS; > > > + goto out_unlock; > > > + } > > hello Greg, > > > > > I was told that a "straight" backport like this was not correct, so we > > need a "better" one :( > > > > Sebastian, can you provide the correct backport for 6.6.y please? > > > > I think Sasha's patch is doing the right thing. Sasha thanks for > posting it so fast. Then why is the backport that is in the android 6.6.y kernel branches different from this one? Which one is "correct"? thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share 2025-11-24 15:56 ` Greg KH @ 2025-11-24 19:53 ` Sebastian Ene 0 siblings, 0 replies; 7+ messages in thread From: Sebastian Ene @ 2025-11-24 19:53 UTC (permalink / raw) To: Greg KH; +Cc: Sasha Levin, stable, Will Deacon, Marc Zyngier On Mon, Nov 24, 2025 at 04:56:17PM +0100, Greg KH wrote: > On Mon, Nov 24, 2025 at 03:00:00PM +0000, Sebastian Ene wrote: > > On Mon, Nov 24, 2025 at 03:50:45PM +0100, Greg KH wrote: > > > On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote: > > > > From: Sebastian Ene <sebastianene@google.com> > > > > > > > > [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ] > > > > > > > > Verify the offset to prevent OOB access in the hypervisor > > > > FF-A buffer in case an untrusted large enough value > > > > [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] > > > > is set from the host kernel. > > > > > > > > Signed-off-by: Sebastian Ene <sebastianene@google.com> > > > > Acked-by: Will Deacon <will@kernel.org> > > > > Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com > > > > Signed-off-by: Marc Zyngier <maz@kernel.org> > > > > Signed-off-by: Sasha Levin <sashal@kernel.org> > > > > --- > > > > arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- > > > > 1 file changed, 7 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c > > > > index 8d21ab904f1a9..eacf4ba1d88e9 100644 > > > > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c > > > > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c > > > > @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, > > > > DECLARE_REG(u32, npages_mbz, ctxt, 4); > > > > struct ffa_composite_mem_region *reg; > > > > struct ffa_mem_region *buf; > > > > - u32 offset, nr_ranges; > > > > + u32 offset, nr_ranges, checked_offset; > > > > int ret = 0; > > > > > > > > if (addr_mbz || npages_mbz || fraglen > len || > > > > @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, > > > > goto out_unlock; > > > > } > > > > > > > > - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { > > > > + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { > > > > + ret = FFA_RET_INVALID_PARAMETERS; > > > > + goto out_unlock; > > > > + } > > > > hello Greg, > > > > > > > > I was told that a "straight" backport like this was not correct, so we > > > need a "better" one :( > > > > > > Sebastian, can you provide the correct backport for 6.6.y please? > > > > > > > I think Sasha's patch is doing the right thing. Sasha thanks for > > posting it so fast. > > Then why is the backport that is in the android 6.6.y kernel branches > different from this one? Which one is "correct"? > Right, there is a slighly difference between the two which doesn't affect the correctness in any way. The one from the android 6.6 branch uses ffa_to_smccc_error call to post the return code instead of simply setting the ret code an returning. The correct one is the one from Sasha. The one from the android 6.6 tree is labeled incorrectly FROMGIT, it should be BACKPORT: FROMGIT: because it has this small difference. I hope this clarifies it. > thanks, > > greg k-h Thanks, Sebastian ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-11-24 19:53 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-24 10:52 FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 6.6-stable tree gregkh 2025-11-24 14:11 ` [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share Sasha Levin 2025-11-24 14:50 ` Greg KH 2025-11-24 15:00 ` Sebastian Ene 2025-11-24 15:19 ` Sasha Levin 2025-11-24 15:56 ` Greg KH 2025-11-24 19:53 ` Sebastian Ene
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).