From nobody Sun Oct  5 09:10:53 2025
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F3151E520F;
	Wed,  6 Aug 2025 11:51:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754481111; cv=none;
 b=ukA+aFKV1KeiCFHYBLLImk7NC5v12k1TE3sTjW+ut0RBFsqlOClLAsdxnoWA4j9Ywz31PrLVxuIxd5BFCx+Bcg+aGF5VfKxqlfT4DOrwNeZkpNYXXts9DjB4/PiOlAb8/Ym00gQfBU9lKUo8tgLBh2/ZolBkRGQHWjGkR83MLjM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754481111; c=relaxed/simple;
	bh=TFIUgK2aOX5TX4HMKE29RL1uFMGFzod30r7XRcxabxw=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=WzY8nDJON1irf8MibE+WEFjUuDWqQLl9GRUWiwbd2C82NWKldefn26o+HZf3VbAMjS4KYcl5lGy75cF+U0n0Q2vqo/UVYEo9mpg5DL+E8I+4FnqQo6iUXvY0DpeWSI+H+gE5p6ZMuytNrIhWrztg65ApfVdlu8u3bCLd4iH2b+4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com;
 spf=pass smtp.mailfrom=quicinc.com;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b=mCZETjS3; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b="mCZETjS3"
Received: from pps.filterd (m0279870.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 5765kJp9025261;
	Wed, 6 Aug 2025 11:51:39 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
	cc:content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
	FfOd4e6XeVxmfQvad9001hhfk4OBVv0XSm0TtXLPd4g=; b=mCZETjS3Roqg965f
	d4ypii8Gmij+MHfyFz8lzG8sUbpEXO8xKS34ph4ZgXVYbSsEgixlPlhoeZJSLy0T
	KekopEzU3tZFwqT36aUoZjuS2VS+m9RZPmf7ZPCZsDuXGha2wpTCi5Ras+iRC++o
	etSjmC1MBSSzV8X783MW38mTxKp6jq309XqGVvUiEqgRUqlctbahNaElnnHg3QVx
	rVGLnnL968NF/lwrnRZBtbOFudaSbQPgtzkvy4CDCIHfC3wdzZf4PNkAOZVtsfds
	dS4Fq34eetumL/T3D+T6m+kkd9Fq+t73Nw4D587hYuYD8l5hBscPxldza7356XKG
	K0IWqQ==
Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com
 [199.106.103.254])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpvytpq1-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 06 Aug 2025 11:51:39 +0000 (GMT)
Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com
 [10.45.79.139])
	by NASANPPMTA02.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id
 576BpcYZ023405
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 6 Aug 2025 11:51:38 GMT
Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by
 nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1748.10; Wed, 6 Aug 2025 04:51:34 -0700
From: Ling Xu <quic_lxu5@quicinc.com>
To: <srini@kernel.org>, <amahesh@qti.qualcomm.com>, <arnd@arndb.de>,
        <gregkh@linuxfoundation.org>, <sumit.semwal@linaro.org>,
        <christian.koenig@amd.com>, <thierry.escande@linaro.org>,
        <quic_vgattupa@quicinc.com>
CC: <quic_kuiw@quicinc.com>, <ekansh.gupta@oss.qualcomm.com>,
        <dri-devel@lists.freedesktop.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
        <linux-kernel@vger.kernel.org>, Ling Xu <quic_lxu5@quicinc.com>,
        <stable@kernel.org>,
        Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Subject: [PATCH v2 1/4] misc: fastrpc: Save actual DMA size in fastrpc_map
 structure
Date: Wed, 6 Aug 2025 17:21:11 +0530
Message-ID: <20250806115114.688814-2-quic_lxu5@quicinc.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250806115114.688814-1-quic_lxu5@quicinc.com>
References: <20250806115114.688814-1-quic_lxu5@quicinc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01c.na.qualcomm.com (10.45.79.139)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
 signatures=585085
X-Proofpoint-GUID: jg_rtThXtAKbX-GN1GydzhRCLTj_cOxV
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOSBTYWx0ZWRfX7WS86Uk8lVfl
 cl7ycDgB4zjC7z47IFuJZtt1fa5MAnJZEREUhd6A1BcwmJlBxVGPlLQ4+5f5jS2Z1DuYf7cEOhU
 yWCXAM/BUyhY6dpPvrDNs4kcE12o9b+q55n58sGmhS2KxOwYgrpNTng2wMx3V8kTwx5qE/RcY1b
 Qn1ylRlJGq34KxdiiLOGsOdWWf89jNoF8LiRR8dNiKcujZ6oVMdI8pXuNqfyW26i8d0Zj+7/S+b
 ioY50/HFhoM7XHBU5oH/A+8yn7UrV3DqHdBL5iNqB9UIC/va7ot5L8jEdqrsrwwWSig7hU55R+O
 sma5ZeAN+7edPLJeBtCs73hazw8kvbQexqrG1A/Ec2SHtdn9pQ0NC0IdafNTc2GXOWd9DPFHQZZ
 gwF3XO11
X-Proofpoint-ORIG-GUID: jg_rtThXtAKbX-GN1GydzhRCLTj_cOxV
X-Authority-Analysis: v=2.4 cv=NsLRc9dJ c=1 sm=1 tr=0 ts=689341cb cx=c_pps
 a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8
 a=COk6AnOGAAAA:8 a=xfFNeJADx1FHDao19vwA:9 a=TjNXssC_j7lpFel5tvFf:22
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40
 definitions=2025-08-06_03,2025-08-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 clxscore=1015 priorityscore=1501 impostorscore=0 bulkscore=0 phishscore=0
 adultscore=0 malwarescore=0 spamscore=0 suspectscore=0 classifier=typeunknown
 authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1
 engine=8.19.0-2507300000 definitions=main-2508060009
Content-Type: text/plain; charset="utf-8"

For user passed fd buffer, map is created using DMA calls. The
map related information is stored in fastrpc_map structure. The
actual DMA size is not stored in the structure. Store the actual
size of buffer and check it against the user passed size.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
---
 drivers/misc/fastrpc.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 53e88a1bc430..52571916acd4 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -323,11 +323,11 @@ static void fastrpc_free_map(struct kref *ref)
=20
 			perm.vmid =3D QCOM_SCM_VMID_HLOS;
 			perm.perm =3D QCOM_SCM_PERM_RWX;
-			err =3D qcom_scm_assign_mem(map->phys, map->size,
+			err =3D qcom_scm_assign_mem(map->phys, map->len,
 				&src_perms, &perm, 1);
 			if (err) {
 				dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size =
0x%llx err %d\n",
-						map->phys, map->size, err);
+						map->phys, map->len, err);
 				return;
 			}
 		}
@@ -758,7 +758,8 @@ static int fastrpc_map_create(struct fastrpc_user *fl, =
int fd,
 	struct fastrpc_session_ctx *sess =3D fl->sctx;
 	struct fastrpc_map *map =3D NULL;
 	struct sg_table *table;
-	int err =3D 0;
+	struct scatterlist *sgl =3D NULL;
+	int err =3D 0, sgl_index =3D 0;
=20
 	if (!fastrpc_map_lookup(fl, fd, ppmap, true))
 		return 0;
@@ -798,7 +799,15 @@ static int fastrpc_map_create(struct fastrpc_user *fl,=
 int fd,
 		map->phys =3D sg_dma_address(map->table->sgl);
 		map->phys +=3D ((u64)fl->sctx->sid << 32);
 	}
-	map->size =3D len;
+	for_each_sg(map->table->sgl, sgl, map->table->nents,
+		sgl_index)
+		map->size +=3D sg_dma_len(sgl);
+	if (len > map->size) {
+		dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n",
+				len, map->size);
+		err =3D -EINVAL;
+		goto map_err;
+	}
 	map->va =3D sg_virt(map->table->sgl);
 	map->len =3D len;
=20
@@ -815,10 +824,10 @@ static int fastrpc_map_create(struct fastrpc_user *fl=
, int fd,
 		dst_perms[1].vmid =3D fl->cctx->vmperms[0].vmid;
 		dst_perms[1].perm =3D QCOM_SCM_PERM_RWX;
 		map->attr =3D attr;
-		err =3D qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_p=
erms, 2);
+		err =3D qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_pe=
rms, 2);
 		if (err) {
 			dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%ll=
x err %d\n",
-					map->phys, map->size, err);
+					map->phys, map->len, err);
 			goto map_err;
 		}
 	}
@@ -2046,7 +2055,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f=
l, char __user *argp)
 	args[0].length =3D sizeof(req_msg);
=20
 	pages.addr =3D map->phys;
-	pages.size =3D map->size;
+	pages.size =3D map->len;
=20
 	args[1].ptr =3D (u64) (uintptr_t) &pages;
 	args[1].length =3D sizeof(pages);
@@ -2061,7 +2070,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f=
l, char __user *argp)
 	err =3D fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[=
0]);
 	if (err) {
 		dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n",
-			req.fd, req.vaddrin, map->size);
+			req.fd, req.vaddrin, map->len);
 		goto err_invoke;
 	}
=20
@@ -2074,7 +2083,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f=
l, char __user *argp)
 	if (copy_to_user((void __user *)argp, &req, sizeof(req))) {
 		/* unmap the memory and release the buffer */
 		req_unmap.vaddr =3D (uintptr_t) rsp_msg.vaddr;
-		req_unmap.length =3D map->size;
+		req_unmap.length =3D map->len;
 		fastrpc_req_mem_unmap_impl(fl, &req_unmap);
 		return -EFAULT;
 	}
--=20
2.34.1
From nobody Sun Oct  5 09:10:53 2025
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F8CA28A3EF;
	Wed,  6 Aug 2025 11:51:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754481114; cv=none;
 b=PpXY9OIJamxlm5umvQwZwRcO5LoBT92FInsXi8WLC6ciocjitNGRGAPdCm/qX+ghtjMHW8IA2r4r/uBqUSgWzvOnExdLJQu4Lv1G2bVpdB4nXdKAqf8oC0FY0O/9pprpOrTf0qVtaAUNxX44uEEz7NFyaZJXZNqPFryQaHbP6+4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754481114; c=relaxed/simple;
	bh=Tbjky5g1OwCVsI083I/HAqwmAGqqRSKNINutUAOZXTs=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=G5xqi5cbN9JiwXD4lgSuRDE73CBXFAsWexqTeNzG/tU/Y7bixG61crXcupKQ21cfESsgLH2jhModbubIGeTWOCDIHj9EL/gsu6Xw0Hbjj8mZYvfCvifThB8sxQvB4kfNmwx3YiJfKuxWHOmhNI8oi4xa3tXV6eHBR4gcos8EGuo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com;
 spf=pass smtp.mailfrom=quicinc.com;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b=G6vYtm1h; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b="G6vYtm1h"
Received: from pps.filterd (m0279871.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 5769ekff032241;
	Wed, 6 Aug 2025 11:51:44 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
	cc:content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
	7OHFuNXohkfV4ozRkN1gH5VFSe3G8oUlRlgFMpl9sQY=; b=G6vYtm1hCBgSow2C
	7CPQrRVFY/BjtI2aJIHwQEp/7dCNjSIxH4wI95JO9nVZDsCmhfOxepK83mMAuXKv
	G6yQwx53hs/i0MV32rkSlso59dEoO0VzoRh3Eouvz1LTpZXYkKtvFvewBxwLNKpy
	rfjcWQOgCSCGvwx91e8hva/0qrMFyZDrq11IJ9X+VZiHQCad6TI0RqVetR0BHR2t
	uYl78xZB7Wk6B/5Ld1SkGPzSCaEzW/wnNcfgAq9ZpS1T7uKBZIrrilt+o8S0iPSx
	O8r4m4ExJB6Jok36hbgXqZnbrs2m/Yk/CEUDnaegY+epF8qZ8UW/OxfchpV5Lz/E
	oefn4w==
Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com
 [199.106.103.254])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpw2tndq-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 06 Aug 2025 11:51:43 +0000 (GMT)
Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com
 [10.45.79.139])
	by NASANPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id
 576BpgRd021724
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 6 Aug 2025 11:51:42 GMT
Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by
 nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1748.10; Wed, 6 Aug 2025 04:51:39 -0700
From: Ling Xu <quic_lxu5@quicinc.com>
To: <srini@kernel.org>, <amahesh@qti.qualcomm.com>, <arnd@arndb.de>,
        <gregkh@linuxfoundation.org>, <sumit.semwal@linaro.org>,
        <christian.koenig@amd.com>, <thierry.escande@linaro.org>,
        <quic_vgattupa@quicinc.com>
CC: <quic_kuiw@quicinc.com>, <ekansh.gupta@oss.qualcomm.com>,
        <dri-devel@lists.freedesktop.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
        <linux-kernel@vger.kernel.org>, Ling Xu <quic_lxu5@quicinc.com>,
        <stable@kernel.org>
Subject: [PATCH v2 2/4] misc: fastrpc: Fix fastrpc_map_lookup operation
Date: Wed, 6 Aug 2025 17:21:12 +0530
Message-ID: <20250806115114.688814-3-quic_lxu5@quicinc.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250806115114.688814-1-quic_lxu5@quicinc.com>
References: <20250806115114.688814-1-quic_lxu5@quicinc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01c.na.qualcomm.com (10.45.79.139)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
 signatures=585085
X-Authority-Analysis: v=2.4 cv=Vbz3PEp9 c=1 sm=1 tr=0 ts=689341cf cx=c_pps
 a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8
 a=COk6AnOGAAAA:8 a=Gfd6DxS6oenDwON9uhEA:9 a=TjNXssC_j7lpFel5tvFf:22
X-Proofpoint-ORIG-GUID: ymsVwjXJTheSvaoJT6pr4X236sh5GNnQ
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOCBTYWx0ZWRfX12shlG1yRJWr
 /Kv/tXdxqFdhtCcjGRpikATrvUCyFDXz0KDJKvZWOqV8MxFzK6WVrkRf8Tt5K03IEbbSofeAMrM
 +LwoIkqeGBBQ0Gc9WAVbmgvbTdLewxVlZTgAx59d71F4/BNdJkslw9DOvFS33bKXFiEyTIWO+uL
 UCFbtgEMY06r3e1vLTk2zFmYZBDH5nOjKGFsBjeaVffXuvwGckzaqmcyKsSDxmBLI1wDKb3VKqT
 uDAEKgk5gkxXDPBDKEa6ZiwWrQWd4oH9IkRnyRFfHGE3nI5UOmnEZ9xk6pgKVuqPl8sGa2CKTqH
 pFJ8cm9BCZhq8ZD996OdROVyEhEKcQy/WdWRVmPvcXyoOnWryhkbqLWpyX283u5wrZFkkotpWnP
 Z7lI3SVS
X-Proofpoint-GUID: ymsVwjXJTheSvaoJT6pr4X236sh5GNnQ
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40
 definitions=2025-08-06_03,2025-08-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 clxscore=1015 malwarescore=0 adultscore=0 suspectscore=0 bulkscore=0
 phishscore=0 priorityscore=1501 spamscore=0 impostorscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060008
Content-Type: text/plain; charset="utf-8"

Fastrpc driver creates maps for user allocated fd buffers. Before
creating a new map, the map list is checked for any already existing
maps using map fd. Checking with just map fd is not sufficient as the
user can pass offsetted buffer with less size when the map is created
and then a larger size the next time which could result in memory
issues. Check for dma_buf object also when looking up for the map.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
---
 drivers/misc/fastrpc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 52571916acd4..1815b1e0c607 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -367,11 +367,16 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl=
, int fd,
 {
 	struct fastrpc_session_ctx *sess =3D fl->sctx;
 	struct fastrpc_map *map =3D NULL;
+	struct dma_buf *buf;
 	int ret =3D -ENOENT;
=20
+	buf =3D dma_buf_get(fd);
+	if (IS_ERR(buf))
+		return PTR_ERR(buf);
+
 	spin_lock(&fl->lock);
 	list_for_each_entry(map, &fl->maps, node) {
-		if (map->fd !=3D fd)
+		if (map->fd !=3D fd || map->buf !=3D buf)
 			continue;
=20
 		if (take_ref) {
--=20
2.34.1
From nobody Sun Oct  5 09:10:53 2025
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE86728C022;
	Wed,  6 Aug 2025 11:51:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754481118; cv=none;
 b=A5NA9Ib7ZwB9j3wxY+FkAL8z1AfmpaNcMX3+oyFAkgUZ13JZc/8Py3msShoUF5JvNvJo9+XAKbfNhuVjdn9AQR1XseJr+AzitCUhB+2S676063GbAGzARMlkc43Qd02FajA4suTH/F9j2h+YHlipy/rJwLvknM+8wb4jWFqnkos=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754481118; c=relaxed/simple;
	bh=IhlhuCRo0UQkF41FNhRfetdyeIHsFugkQoENB+yfmcU=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=md1m0qUdU6XNKZT1Kb+/IjOb6h4gRxVkbmAnWoeGmeumBkKvXmK3z+wjMK1XWjwBOJkuVajD0suuIsSfNGy7YM4hSbDccKaCAGdMmZwpktUtVoeHZxAp3Ol4CMSxjRgC4MBoQWN6XSczg3pFfLXb1jgfRIB3i9uKltfs0/khNGI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com;
 spf=pass smtp.mailfrom=quicinc.com;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b=aWPRIjpe; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b="aWPRIjpe"
Received: from pps.filterd (m0279873.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 576AMimr017319;
	Wed, 6 Aug 2025 11:51:48 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
	cc:content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
	MXe93JXceflh8PvWfKGGoZ9LbYnD7R/AGqPp/QvmJmY=; b=aWPRIjpeq+7X6mcg
	w+i8B2ILkkd+5JyF0NUU6eTeYwC7YR7CZM4Fod6yTfZ//1al5AsrsSQPtb6H/nZT
	C29dSsM5OHYJ4Wdkux8O+izwLzKtkCoub4/NF1XwDqecVnxWIDQax/C3ue1dEGmv
	zDZrvqH2SXe2CGAiwO0zvEILHghGKLdYjtpy/67nA4nX7RzBZEokO0XNAlxrrpoI
	U2JNbXoqmhRcDuV7JL5hutvBOPTEMey/Z/bdMEipvkZrSStskmGxmsUrTzNy2Daz
	Pvl4yR0E+kPkef4X2Wwi2Nn8/Tsh7hQ3CQi7cSY6D2wsjyG3jsthmGqNdCbEREQP
	8O3rSA==
Received: from nasanppmta03.qualcomm.com (i-global254.qualcomm.com
 [199.106.103.254])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48c58686am-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 06 Aug 2025 11:51:48 +0000 (GMT)
Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com
 [10.45.79.139])
	by NASANPPMTA03.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id
 576BplCP015579
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 6 Aug 2025 11:51:47 GMT
Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by
 nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1748.10; Wed, 6 Aug 2025 04:51:43 -0700
From: Ling Xu <quic_lxu5@quicinc.com>
To: <srini@kernel.org>, <amahesh@qti.qualcomm.com>, <arnd@arndb.de>,
        <gregkh@linuxfoundation.org>, <sumit.semwal@linaro.org>,
        <christian.koenig@amd.com>, <thierry.escande@linaro.org>,
        <quic_vgattupa@quicinc.com>
CC: <quic_kuiw@quicinc.com>, <ekansh.gupta@oss.qualcomm.com>,
        <dri-devel@lists.freedesktop.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
        <linux-kernel@vger.kernel.org>, Ling Xu <quic_lxu5@quicinc.com>,
        <stable@kernel.org>
Subject: [PATCH v2 3/4] misc: fastrpc: fix possible map leak in
 fastrpc_put_args
Date: Wed, 6 Aug 2025 17:21:13 +0530
Message-ID: <20250806115114.688814-4-quic_lxu5@quicinc.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250806115114.688814-1-quic_lxu5@quicinc.com>
References: <20250806115114.688814-1-quic_lxu5@quicinc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01c.na.qualcomm.com (10.45.79.139)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
 signatures=585085
X-Proofpoint-GUID: SolUse1ji72QTzeNQbsQkPXURZZw28uZ
X-Authority-Analysis: v=2.4 cv=MZpsu4/f c=1 sm=1 tr=0 ts=689341d4 cx=c_pps
 a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8
 a=COk6AnOGAAAA:8 a=Op9FgWJ_R3wbKKMAuNAA:9 a=TjNXssC_j7lpFel5tvFf:22
X-Proofpoint-ORIG-GUID: SolUse1ji72QTzeNQbsQkPXURZZw28uZ
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDA2NCBTYWx0ZWRfXxDJVPS5RcvTd
 dI71NDKW8mTdJyo/iv6eeeHFuATnAtBAxbv/pjAPlADc8JyUax9wD/da4C+3aA6QQlN5CsgAKw0
 dPNAbRFP/Kfj10jLXUHA2wbUzp1hDkbMPlv3J02bjdqdOUWARoy1NnM1iTKqVIALD2rPoVFysXO
 CniLCfMv3s7ib1kRDEDy9G9ZGcTTKs3OFkgVhhLCXVmYCSqFeWuNHFuUAz1fcH4SzLrYVqhzUze
 ZUyl27j4NwH6GZ0JVjOY3Hw48EjSiya4X6iAprDHheKic2+aSLjRl7MXTngCatfz8JX6Ya7oz/d
 BDoFld3guGCyixyo4QunlsmMru8qQgxP9goXIlJSBq4aCac1x5vOFFvcU5p2eaifGKYyhXzDHab
 5zVHEgmH
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40
 definitions=2025-08-06_03,2025-08-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1015 bulkscore=0
 adultscore=0 suspectscore=0 phishscore=0 priorityscore=1501
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060064
Content-Type: text/plain; charset="utf-8"

copy_to_user() failure would cause an early return without cleaning up
the fdlist, which has been updated by the DSP. This could lead to map
leak. Fix this by redirecting to a cleanup path on failure, ensuring
that all mapped buffers are properly released before returning.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
---
 drivers/misc/fastrpc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 1815b1e0c607..d950a179bff8 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1085,6 +1085,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx=
 *ctx,
 	struct fastrpc_phy_page *pages;
 	u64 *fdlist;
 	int i, inbufs, outbufs, handles;
+	int ret =3D 0;
=20
 	inbufs =3D REMOTE_SCALARS_INBUFS(ctx->sc);
 	outbufs =3D REMOTE_SCALARS_OUTBUFS(ctx->sc);
@@ -1100,14 +1101,17 @@ static int fastrpc_put_args(struct fastrpc_invoke_c=
tx *ctx,
 			u64 len =3D rpra[i].buf.len;
=20
 			if (!kernel) {
-				if (copy_to_user((void __user *)dst, src, len))
-					return -EFAULT;
+				if (copy_to_user((void __user *)dst, src, len)) {
+					ret =3D -EFAULT;
+					goto cleanup_fdlist;
+				}
 			} else {
 				memcpy(dst, src, len);
 			}
 		}
 	}
=20
+cleanup_fdlist:
 	/* Clean up fdlist which is updated by DSP */
 	for (i =3D 0; i < FASTRPC_MAX_FDLIST; i++) {
 		if (!fdlist[i])
@@ -1116,7 +1120,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx=
 *ctx,
 			fastrpc_map_put(mmap);
 	}
=20
-	return 0;
+	return ret;
 }
=20
 static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx,
--=20
2.34.1
From nobody Sun Oct  5 09:10:53 2025
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E565928C2B0;
	Wed,  6 Aug 2025 11:51:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754481121; cv=none;
 b=aSagUAvFHh0u+7L9YW31/pJA2Mdr1yn3gCKZRZXGVWoYu4/6iwJoKi8kIGvdPgkT4La1YTj+NBLe3rYFdre9/WoQx22W628nUp6fa7oYIDq+iNojnCMjmkJL3neRsZF3/GJJ5EWOltl/kZrpmVxACO7Xn4NqshZcYbmKCBQfZus=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754481121; c=relaxed/simple;
	bh=LlDptYXPOWubo/br2039xV8dQ2nTHpARiOHj+csODBY=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=bogNDXvb4hQ+VoRusgejy5sxA7j1P9uGAZCPy2yQFZJgbTdDbxnkyA3YkRck57GBtSofo4uGMHfdmsENHElh6i/l0Hedc5PI3NkSntwuQkszx+SFO273as2ysl5UunJPr/2UzeK+Nnv8RpOUKkoeo4WTgs+QJ9fDvL4G8mztrNw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com;
 spf=pass smtp.mailfrom=quicinc.com;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b=g/cgpcyk; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b="g/cgpcyk"
Received: from pps.filterd (m0279873.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 576AMfCK017265;
	Wed, 6 Aug 2025 11:51:53 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
	cc:content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
	vFO6rmjckLLVKu2RdrnvwAaA0dZ1+j3gbeU8qFfMmHI=; b=g/cgpcykMVwb/IuF
	92gNNe2LjEl7AKN0I9PqV2Uow4YPskGODFE8SIWyVDyYq25VJvLiyhno6HykoPGH
	Ijqo5/D0ATZoQWloVQlRo3dRcLnaYY26n0ZmJDyHgLfvceBQx+dPhdPGQSiTNra7
	O5s4fIj8qlgMBC5ygfGvy7PRUsQF3QAZGDqtTXShbUUak2y5Xru3+1m+KGwuHD4F
	GpjmubakTEFLKwPjR/ytv3I1ZjK9ps5uAnpqEfe7OjP3qLWyniTXbf49h3X5pRwx
	QRYN8zM7i45pypKz0Xf2+3SlKwZPw7yHCpur2GSrhk7TbopF9DKOeMycf1ykOMDF
	HHYG6A==
Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com
 [199.106.103.254])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48c58686b1-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 06 Aug 2025 11:51:52 +0000 (GMT)
Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com
 [10.45.79.139])
	by NASANPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id
 576Bpp0V021877
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 6 Aug 2025 11:51:51 GMT
Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by
 nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1748.10; Wed, 6 Aug 2025 04:51:48 -0700
From: Ling Xu <quic_lxu5@quicinc.com>
To: <srini@kernel.org>, <amahesh@qti.qualcomm.com>, <arnd@arndb.de>,
        <gregkh@linuxfoundation.org>, <sumit.semwal@linaro.org>,
        <christian.koenig@amd.com>, <thierry.escande@linaro.org>,
        <quic_vgattupa@quicinc.com>
CC: <quic_kuiw@quicinc.com>, <ekansh.gupta@oss.qualcomm.com>,
        <dri-devel@lists.freedesktop.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
        <linux-kernel@vger.kernel.org>, Ling Xu <quic_lxu5@quicinc.com>,
        <stable@kernel.org>
Subject: [PATCH v2 4/4] misc: fastrpc: Skip reference for DMA handles
Date: Wed, 6 Aug 2025 17:21:14 +0530
Message-ID: <20250806115114.688814-5-quic_lxu5@quicinc.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250806115114.688814-1-quic_lxu5@quicinc.com>
References: <20250806115114.688814-1-quic_lxu5@quicinc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01c.na.qualcomm.com (10.45.79.139)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
 signatures=585085
X-Proofpoint-GUID: IXWq56583LaveKK_w542hCx4Ram19CAI
X-Authority-Analysis: v=2.4 cv=MZpsu4/f c=1 sm=1 tr=0 ts=689341d8 cx=c_pps
 a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8
 a=COk6AnOGAAAA:8 a=65MDuzgJ9_6jycvYPFoA:9 a=TjNXssC_j7lpFel5tvFf:22
X-Proofpoint-ORIG-GUID: IXWq56583LaveKK_w542hCx4Ram19CAI
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDA2NCBTYWx0ZWRfX8AXCfwdECaAP
 BbB+KAtaVKf+CVbHicwG7uNwoJemkLEtmkSp13s+ClXfrgT7e7GsleD2kaUz0GWAndd5YhzUW/g
 BODrjglaCJIb7qdInodPFG3x1CCcGLgOZ+etrAw2gzjvIw3rh55KeFS1osOZYtUY6hC5rCfXUA0
 2HfXn/j7Gcu6wDaO7k5a60NYy8OVRqIIxEb2OWYvsc6tA3WOLSwM0hi817XTFuBaElhtlSbokP4
 T8RSep2yW3dvAjyA+gfO7UXkHwtjmjtMvYtX2BOPCGCI6Bi9QA5t1i6bNfGKJKQU6tva1Yuykb3
 WoDm3oHwCpo3kSfGiJg5B3zArVy6LFhAPKXVLVFXxgGZp7fY11y/vJuNFFdF5TqXbWimIforEEC
 K/sXpf4O
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40
 definitions=2025-08-06_03,2025-08-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1015 bulkscore=0
 adultscore=0 suspectscore=0 phishscore=0 priorityscore=1501
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060064
Content-Type: text/plain; charset="utf-8"

If multiple dma handles are passed with same fd over a remote call
the kernel driver takes a reference and expects that put for the
map will be called as many times to free the map. But DSP only
updates the fd one time in the fd list when the DSP refcount
goes to zero and hence kernel make put call only once for the
fd. This can cause SMMU fault issue as the same fd can be used
in future for some other call.

Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation")
Cc: stable@kernel.org
Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
---
 drivers/misc/fastrpc.c | 44 ++++++++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 17 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index d950a179bff8..3b7ad4a043eb 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -363,7 +363,7 @@ static int fastrpc_map_get(struct fastrpc_map *map)
=20
=20
 static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
-			    struct fastrpc_map **ppmap, bool take_ref)
+			    struct fastrpc_map **ppmap)
 {
 	struct fastrpc_session_ctx *sess =3D fl->sctx;
 	struct fastrpc_map *map =3D NULL;
@@ -379,15 +379,6 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl,=
 int fd,
 		if (map->fd !=3D fd || map->buf !=3D buf)
 			continue;
=20
-		if (take_ref) {
-			ret =3D fastrpc_map_get(map);
-			if (ret) {
-				dev_dbg(sess->dev, "%s: Failed to get map fd=3D%d ret=3D%d\n",
-					__func__, fd, ret);
-				break;
-			}
-		}
-
 		*ppmap =3D map;
 		ret =3D 0;
 		break;
@@ -757,7 +748,7 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops =3D=
 {
 	.release =3D fastrpc_release,
 };
=20
-static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
+static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
 			      u64 len, u32 attr, struct fastrpc_map **ppmap)
 {
 	struct fastrpc_session_ctx *sess =3D fl->sctx;
@@ -766,9 +757,6 @@ static int fastrpc_map_create(struct fastrpc_user *fl, =
int fd,
 	struct scatterlist *sgl =3D NULL;
 	int err =3D 0, sgl_index =3D 0;
=20
-	if (!fastrpc_map_lookup(fl, fd, ppmap, true))
-		return 0;
-
 	map =3D kzalloc(sizeof(*map), GFP_KERNEL);
 	if (!map)
 		return -ENOMEM;
@@ -853,6 +841,24 @@ static int fastrpc_map_create(struct fastrpc_user *fl,=
 int fd,
 	return err;
 }
=20
+static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
+			      u64 len, u32 attr, struct fastrpc_map **ppmap)
+{
+	struct fastrpc_session_ctx *sess =3D fl->sctx;
+	int err =3D 0;
+
+	if (!fastrpc_map_lookup(fl, fd, ppmap)) {
+		if (!fastrpc_map_get(*ppmap))
+			return 0;
+		dev_dbg(sess->dev, "%s: Failed to get map fd=3D%d\n",
+			__func__, fd);
+	}
+
+	err =3D fastrpc_map_attach(fl, fd, len, attr, ppmap);
+
+	return err;
+}
+
 /*
  * Fastrpc payload buffer with metadata looks like:
  *
@@ -925,8 +931,12 @@ static int fastrpc_create_maps(struct fastrpc_invoke_c=
tx *ctx)
 		    ctx->args[i].length =3D=3D 0)
 			continue;
=20
-		err =3D fastrpc_map_create(ctx->fl, ctx->args[i].fd,
-			 ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
+		if (i < ctx->nbufs)
+			err =3D fastrpc_map_create(ctx->fl, ctx->args[i].fd,
+				 ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
+		else
+			err =3D fastrpc_map_attach(ctx->fl, ctx->args[i].fd,
+				 ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
 		if (err) {
 			dev_err(dev, "Error Creating map %d\n", err);
 			return -EINVAL;
@@ -1116,7 +1126,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx=
 *ctx,
 	for (i =3D 0; i < FASTRPC_MAX_FDLIST; i++) {
 		if (!fdlist[i])
 			break;
-		if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
+		if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
 			fastrpc_map_put(mmap);
 	}
=20
--=20
2.34.1