Commit a6848a50 authored by Sudeep Holla's avatar Sudeep Holla
Browse files

firmware: arm_ffa: Fix sched-recv callback partition lookup 

ffa_sched_recv_cb_update() used list_for_each_entry_safe() to search for
a matching partition and then tested the iterator against NULL. That is
not a valid end-of-list check for circular lists and can fall through
with an invalid pointer. Use a normal iterator and detect the not-found
case correctly before touching the partition state.

Fixes: be61da93 ("firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-11-8595ae450034@kernel.org


Signed-off-by: default avatarSudeep Holla <sudeep.holla@kernel.org>
parent 38290b18

drivers/firmware/arm_ffa/driver.c

+3 −3
Original line number Diff line number Diff line
@@ -1207,7 +1207,7 @@ static int 
ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callback,

			 void *cb_data, bool is_registration)

{

	struct ffa_dev_part_info *partition = NULL, *tmp;

	struct ffa_dev_part_info *partition = NULL;

	struct list_head *phead;

	bool cb_valid;
@@ -1220,11 +1220,11 @@ ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callback, 
		return -EINVAL;

	}



	list_for_each_entry_safe(partition, tmp, phead, node)

	list_for_each_entry(partition, phead, node)

		if (partition->dev == dev)

			break;



	if (!partition) {

	if (&partition->node == phead) {

		pr_err("%s: No such partition ID 0x%x\n", __func__, dev->vm_id);

		return -EINVAL;

	}