From nobody Sun Oct  5 10:51:16 2025
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F8CA28A3EF;
	Wed,  6 Aug 2025 11:51:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754481114; cv=none;
 b=PpXY9OIJamxlm5umvQwZwRcO5LoBT92FInsXi8WLC6ciocjitNGRGAPdCm/qX+ghtjMHW8IA2r4r/uBqUSgWzvOnExdLJQu4Lv1G2bVpdB4nXdKAqf8oC0FY0O/9pprpOrTf0qVtaAUNxX44uEEz7NFyaZJXZNqPFryQaHbP6+4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754481114; c=relaxed/simple;
	bh=Tbjky5g1OwCVsI083I/HAqwmAGqqRSKNINutUAOZXTs=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=G5xqi5cbN9JiwXD4lgSuRDE73CBXFAsWexqTeNzG/tU/Y7bixG61crXcupKQ21cfESsgLH2jhModbubIGeTWOCDIHj9EL/gsu6Xw0Hbjj8mZYvfCvifThB8sxQvB4kfNmwx3YiJfKuxWHOmhNI8oi4xa3tXV6eHBR4gcos8EGuo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com;
 spf=pass smtp.mailfrom=quicinc.com;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b=G6vYtm1h; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b="G6vYtm1h"
Received: from pps.filterd (m0279871.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 5769ekff032241;
	Wed, 6 Aug 2025 11:51:44 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
	cc:content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
	7OHFuNXohkfV4ozRkN1gH5VFSe3G8oUlRlgFMpl9sQY=; b=G6vYtm1hCBgSow2C
	7CPQrRVFY/BjtI2aJIHwQEp/7dCNjSIxH4wI95JO9nVZDsCmhfOxepK83mMAuXKv
	G6yQwx53hs/i0MV32rkSlso59dEoO0VzoRh3Eouvz1LTpZXYkKtvFvewBxwLNKpy
	rfjcWQOgCSCGvwx91e8hva/0qrMFyZDrq11IJ9X+VZiHQCad6TI0RqVetR0BHR2t
	uYl78xZB7Wk6B/5Ld1SkGPzSCaEzW/wnNcfgAq9ZpS1T7uKBZIrrilt+o8S0iPSx
	O8r4m4ExJB6Jok36hbgXqZnbrs2m/Yk/CEUDnaegY+epF8qZ8UW/OxfchpV5Lz/E
	oefn4w==
Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com
 [199.106.103.254])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpw2tndq-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 06 Aug 2025 11:51:43 +0000 (GMT)
Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com
 [10.45.79.139])
	by NASANPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id
 576BpgRd021724
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 6 Aug 2025 11:51:42 GMT
Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by
 nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1748.10; Wed, 6 Aug 2025 04:51:39 -0700
From: Ling Xu <quic_lxu5@quicinc.com>
To: <srini@kernel.org>, <amahesh@qti.qualcomm.com>, <arnd@arndb.de>,
        <gregkh@linuxfoundation.org>, <sumit.semwal@linaro.org>,
        <christian.koenig@amd.com>, <thierry.escande@linaro.org>,
        <quic_vgattupa@quicinc.com>
CC: <quic_kuiw@quicinc.com>, <ekansh.gupta@oss.qualcomm.com>,
        <dri-devel@lists.freedesktop.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
        <linux-kernel@vger.kernel.org>, Ling Xu <quic_lxu5@quicinc.com>,
        <stable@kernel.org>
Subject: [PATCH v2 2/4] misc: fastrpc: Fix fastrpc_map_lookup operation
Date: Wed, 6 Aug 2025 17:21:12 +0530
Message-ID: <20250806115114.688814-3-quic_lxu5@quicinc.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250806115114.688814-1-quic_lxu5@quicinc.com>
References: <20250806115114.688814-1-quic_lxu5@quicinc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01c.na.qualcomm.com (10.45.79.139)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
 signatures=585085
X-Authority-Analysis: v=2.4 cv=Vbz3PEp9 c=1 sm=1 tr=0 ts=689341cf cx=c_pps
 a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8
 a=COk6AnOGAAAA:8 a=Gfd6DxS6oenDwON9uhEA:9 a=TjNXssC_j7lpFel5tvFf:22
X-Proofpoint-ORIG-GUID: ymsVwjXJTheSvaoJT6pr4X236sh5GNnQ
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOCBTYWx0ZWRfX12shlG1yRJWr
 /Kv/tXdxqFdhtCcjGRpikATrvUCyFDXz0KDJKvZWOqV8MxFzK6WVrkRf8Tt5K03IEbbSofeAMrM
 +LwoIkqeGBBQ0Gc9WAVbmgvbTdLewxVlZTgAx59d71F4/BNdJkslw9DOvFS33bKXFiEyTIWO+uL
 UCFbtgEMY06r3e1vLTk2zFmYZBDH5nOjKGFsBjeaVffXuvwGckzaqmcyKsSDxmBLI1wDKb3VKqT
 uDAEKgk5gkxXDPBDKEa6ZiwWrQWd4oH9IkRnyRFfHGE3nI5UOmnEZ9xk6pgKVuqPl8sGa2CKTqH
 pFJ8cm9BCZhq8ZD996OdROVyEhEKcQy/WdWRVmPvcXyoOnWryhkbqLWpyX283u5wrZFkkotpWnP
 Z7lI3SVS
X-Proofpoint-GUID: ymsVwjXJTheSvaoJT6pr4X236sh5GNnQ
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40
 definitions=2025-08-06_03,2025-08-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 clxscore=1015 malwarescore=0 adultscore=0 suspectscore=0 bulkscore=0
 phishscore=0 priorityscore=1501 spamscore=0 impostorscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060008
Content-Type: text/plain; charset="utf-8"

Fastrpc driver creates maps for user allocated fd buffers. Before
creating a new map, the map list is checked for any already existing
maps using map fd. Checking with just map fd is not sufficient as the
user can pass offsetted buffer with less size when the map is created
and then a larger size the next time which could result in memory
issues. Check for dma_buf object also when looking up for the map.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
---
 drivers/misc/fastrpc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 52571916acd4..1815b1e0c607 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -367,11 +367,16 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl=
, int fd,
 {
 	struct fastrpc_session_ctx *sess =3D fl->sctx;
 	struct fastrpc_map *map =3D NULL;
+	struct dma_buf *buf;
 	int ret =3D -ENOENT;
=20
+	buf =3D dma_buf_get(fd);
+	if (IS_ERR(buf))
+		return PTR_ERR(buf);
+
 	spin_lock(&fl->lock);
 	list_for_each_entry(map, &fl->maps, node) {
-		if (map->fd !=3D fd)
+		if (map->fd !=3D fd || map->buf !=3D buf)
 			continue;
=20
 		if (take_ref) {
--=20
2.34.1