The "msg" pointer is a struct and msg->offset is the sizeof(*msg). The pointer here math means the memcpy() will write outside the bounds. Cast "msg" to a u8 pointer to fix this. Fixes: 02c19d84c7c5 ("firmware: arm_ffa: Add support for FFA_MSG_SEND2") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- drivers/firmware/arm_ffa/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index 9f89ee0aaa6b..363e86936461 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -363,7 +363,7 @@ static int ffa_msg_send2(u16 src_id, u16 dst_id, void *buf, size_t sz) msg->offset = sizeof(*msg); msg->send_recv_id = src_dst_ids; msg->size = sz; - memcpy(msg + msg->offset, buf, sz); + memcpy((u8 *)msg + msg->offset, buf, sz); /* flags = 0, sender VMID = 0 works for both physical/virtual NS */ invoke_ffa_fn((ffa_value_t){ -- 2.43.0