[PATCH] firmware: arm_ffa: Fix NULL dereference in ffa_partition_info_get()

Sudeep Holla sudeep.holla at kernel.org
Fri Jun 12 03:55:21 PDT 2026 

On Thu, Jun 11, 2026 at 01:19:17PM -0700, Unnathi Chalicheemala wrote:
> ffa_partition_info_get() passes uuid_str directly to uuid_parse()
> without a NULL check. When a caller passes NULL (or an empty string),
> uuid_parse() → __uuid_parse() → uuid_is_valid() dereferences the
> pointer, causing a kernel panic:
> 
> Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000040
> pc : uuid_parse+0x40/0xac
> lr : ffa_partition_info_get+0x1c/0x94 [arm_ffa]
> 

The above is very valid issue and needs to be addressed.

> Per the FF-A spec, the all-zeros UUID is the defined wildcard that
> instructs the SPMC to return information for all partitions. Map NULL
> and empty string to uuid_null rather than crashing in uuid_parse(),
> preserving the intended "return all partitions" semantics for callers
> that pass NULL.
> 

Agreed on the spec part but not w.r.t the interface. Where is the driver
using this call and why is it sending null or wants to extract all the
partition information ?

> Fixes: d0c0bce83122 ("firmware: arm_ffa: Setup in-kernel users of FFA partitions")
> Signed-off-by: Unnathi Chalicheemala <unnathi.chalicheemala at oss.qualcomm.com>
> ---
>  drivers/firmware/arm_ffa/driver.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
> index b9f17fda7243..dd500fb81b79 100644
> --- a/drivers/firmware/arm_ffa/driver.c
> +++ b/drivers/firmware/arm_ffa/driver.c
> @@ -1129,7 +1129,9 @@ static int ffa_partition_info_get(const char *uuid_str,
>  	uuid_t uuid;
>  	struct ffa_partition_info *pbuf;
>  
> -	if (uuid_parse(uuid_str, &uuid)) {
> +	if (!uuid_str || uuid_str[0] == '\0') {
> +		uuid = uuid_null;

I object to make it uuid_null. Below check is enough to check NULL
dereference.

-       if (uuid_parse(uuid_str, &uuid)) {
+       if (!uuid_str || uuid_parse(uuid_str, &uuid)) {


I don't think we need to service NULL as valid argument via this interface
as the callee driver needs to pass its partition UUID here.

-- 
Regards,
Sudeep

More information about the linux-arm-kernel mailing list