Skip to content

[for 24.04_linux-nvidia-6.17-next]: backport FF-A partition info descriptor size fix from linux-next#436

Open
jamieNguyenNVIDIA wants to merge 2 commits into
NVIDIA:24.04_linux-nvidia-6.17-nextfrom
jamieNguyenNVIDIA:jamien/617-ffa-descriptor-size
Open

[for 24.04_linux-nvidia-6.17-next]: backport FF-A partition info descriptor size fix from linux-next#436
jamieNguyenNVIDIA wants to merge 2 commits into
NVIDIA:24.04_linux-nvidia-6.17-nextfrom
jamieNguyenNVIDIA:jamien/617-ffa-descriptor-size

Conversation

@jamieNguyenNVIDIA
Copy link
Copy Markdown
Collaborator

@jamieNguyenNVIDIA jamieNguyenNVIDIA commented May 22, 2026
edited
Loading

Summary

Backport FF-A driver fix to 24.04_linux-nvidia-6.17-next:

  • firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies — cherry-picked from mainline 3974ea1938406f9bfa7c1f48d4e43533f447bb08 (Sudeep Holla). Bounds-checks the firmware-provided indices in the register-based PARTITION_INFO_GET path so the copy loop cannot write past the caller buffer. Required as a prerequisite for the second patch.
  • firmware: arm_ffa: Honor partition info descriptor size — backported from linux-next 01b9cae706161a39452a2cce0f281d4369344c51 (Jamie Nguyen, via Sudeep Holla's tree). Makes __ffa_partition_info_get_regs() use the SPMC-advertised per-descriptor size as the register stride instead of the hardcoded 24-byte (regs += 3) value. Without this, an FF-A v1.3 SPMC returning the 48-byte descriptor desyncs the parser, causing every other entry to be read from a slice of two adjacent ones.

The former is taken as a dependency so that the latter applies cleanly.

Upstream references:

LP: https://bugs.launchpad.net/ubuntu/+source/linux-nvidia-7.0/+bug/2154045

Sudeep Holla and others added 2 commits May 22, 2026 12:50
@jamieNguyenNVIDIA
firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies
227c340 
The register-based PARTITION_INFO_GET path trusted the firmware-provided
indices when copying partition descriptors into the caller buffer.
Reject inconsistent counts or index progressions so the copy loop cannot
write past the allocated array.

Fixes: ba85c64 ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-6-8595ae450034@kernel.org
(fixed cur_idx when exactly one descriptor in the first fragment)
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
(cherry picked from commit 3974ea1)
Signed-off-by: Jamie Nguyen <jamien@nvidia.com>
@jamieNguyenNVIDIA
firmware: arm_ffa: Honor partition info descriptor size
8868c5d 
FFA_PARTITION_INFO_GET_REGS reports the size of each partition
information descriptor in x2[63:48]. However, __ffa_partition_info_get_regs()
walks the returned register payload with a hardcoded 24-byte stride
(regs += 3), even though the size is already read into buf_sz.

That works for the FF-A v1.1/v1.2 24-byte descriptor layout, where each
descriptor consumes three registers. Newer FF-A revisions can extend the
descriptor while keeping the existing fields at the front. For example, a
48-byte descriptor consumes six registers, so advancing by only three
registers desynchronises the parser and can make it read subsequent entries
from the middle of a descriptor.

Use the advertised descriptor size to derive the register stride. Validate
that the size is register-aligned, large enough for the fields parsed by the
driver, and that the requested number of descriptors fits in the returned
x3..x17 register window. The driver still copies only the fields it
understands, but now skips over any trailing descriptor fields correctly.

Fixes: ba85c64 ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS")
Suggested-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Jamie Nguyen <jamien@nvidia.com>
Link: https://patch.msgid.link/20260518203116.42624-1-jamien@nvidia.com
(sudeep.holla: Minor rewordng of the commit message and subject)
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
(backported from commit 01b9cae706161a39452a2cce0f281d4369344c51 linux-next)
Signed-off-by: Jamie Nguyen <jamien@nvidia.com>
@nirmoy nirmoy added the help wanted Extra attention is needed label May 22, 2026
@nirmoy
Copy link
Copy Markdown
Collaborator

nirmoy commented May 22, 2026

Boro watcher review skipped

The GitHub watcher skips automatic boro reviews for PRs with more than 50 commits. This PR currently has 100 commits.

To run the review anyway, ask BaseOS_Kernel_Bot in #baseos-kernel:

review https://github.com/NVIDIA/NV-Kernels/pull/436

Head: 8507aacf0abf

This comment is maintained by nv-pr-bot. It is updated when the GitHub watcher sees a newer PR head.

@jamieNguyenNVIDIA jamieNguyenNVIDIA force-pushed the jamien/617-ffa-descriptor-size branch from 8507aac to 8868c5d Compare May 22, 2026 19:51
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 22, 2026
edited
Loading

PR Validation Report

Patchscan ✅ No Missing Fixes

All cherry-picked commits checked — no missing upstream fixes found.

PR Lint ❌ Errors found

Details 
Checking 2 commits...

Cherry-pick digest:
┌──────────────┬──────────────────────────────────────────────────────────────────┬────────────┬─────────┬───────────────────────────┐
│ Local        │ Referenced upstream / Patch subject                              │ Patch-ID   │ Subject │ SoB chain                 │
├──────────────┼──────────────────────────────────────────────────────────────────┼────────────┼─────────┼───────────────────────────┤
│ 8868c5d68ff4 │ [SAUCE] firmware: arm_ffa: honor partition info descriptor size  │ N/A        │ N/A     │ jamien, holla, jamien     │
├──────────────┼──────────────────────────────────────────────────────────────────┼────────────┼─────────┼───────────────────────────┤
│ 227c3405f437 │ 3974ea193840 firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS co │ match      │ match   │ preserved + jamien added  │
└──────────────┴──────────────────────────────────────────────────────────────────┴────────────┴─────────┴───────────────────────────┘

Lint results:
E: 8868c5d68ff4 ("firmware: arm_ffa: Honor partition info descriptor"): not SAUCE/UBUNTU/Revert but has no upstream reference trailer (cherry picked from commit ... or backported from ...)

@nirmoy
Copy link
Copy Markdown
Collaborator

nirmoy commented May 22, 2026

Boro review

Latest watcher review: open review

Head: 8868c5d68ff4

This comment is maintained by nv-pr-bot. It is updated when the GitHub watcher publishes a newer review.

sforshee
sforshee reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sforshee sforshee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Backports match upstream patches, everything looks to be annotated correctly.

Acked-by: Seth Forshee <sforshee@nvidia.com>

@clsotog clsotog self-requested a review May 22, 2026 22:48
clsotog
clsotog approved these changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@clsotog clsotog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Acked-by: Carol L Soto <csoto@nvidia.com>

@nirmoy nirmoy removed the help wanted Extra attention is needed label May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sforshee sforshee sforshee left review comments

+1 more reviewer

@clsotog clsotog clsotog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jamieNguyenNVIDIA @nirmoy @sforshee @clsotog