From nobody Sun Oct 5 07:26:05 2025 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77922262FE2; Thu, 7 Aug 2025 10:04:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561093; cv=none; b=aS970ZFoir1t5yOOG6tURlWt8qBhGJe+/t2zNB0aE82yYjuRq9CPf0sdGmlLgt095jqn4UxnIdwHGMoLD9vujyPrDi0qYNpmY68J8fNnJm1n2Ws4HoGkxGV7iY2QJBeN8IEDShQhyarHgDoZxAkV0Z/kLUmTvQL1JeTRzGmoDGE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561093; c=relaxed/simple; bh=TFIUgK2aOX5TX4HMKE29RL1uFMGFzod30r7XRcxabxw=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=n3FPjTb76IEvhXWLgzkNNLW06Yr34FyjRHma/f0TK2OGbR86+9MawTeetPOasV7QNxaXRHqBq5XXbZ8KlnqPWBzge1F2jQaDoUPHmpIqF6Kymx1SU3lPNSMsBROYRT02IJLQ1u4GOQ47HxVcPf11K+0DURRONJtQjHgH5rDOQHk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=MDs7HNL1; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="MDs7HNL1" Received: from pps.filterd (m0279862.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5779Cv6K003598; Thu, 7 Aug 2025 10:04:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= FfOd4e6XeVxmfQvad9001hhfk4OBVv0XSm0TtXLPd4g=; b=MDs7HNL17fNSwGk6 AHElMkL6HMmOgar6GN+xUi+X6aZduC6HwdZ6Qfcav1yex1IekDryB4BFVTQPsWdc fnxlQz8A23aAYENgfZyEG1kz4VQtpGACJiRHyK6hardOFTVL9PwJMVhe585lUgxV HL42aXG4iEw9VN86DyelkJRNN85lfzqBuh0l2tiMTsEOM+BJ/GiGMdbE3E5TeC1Q Fwxqc/HcXohjN3I16zZHIOvdP2SihKSxERIoMBeK5xI/sxIxa322jtgPUrX42z2a Ui6/KDpevLtI1w9xZFqaaPBmNQYN7cGdlf69hHrFXCDMbDGAcUfZaNuzD/NYXKHj 27SlJg== Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpyadv9x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Aug 2025 10:04:41 +0000 (GMT) Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com [10.45.79.139]) by NASANPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 577A4eRl032483 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 7 Aug 2025 10:04:40 GMT Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Thu, 7 Aug 2025 03:04:36 -0700 From: Ling Xu To: , , , , , , , CC: , , , , , , , Ling Xu , , Dmitry Baryshkov Subject: [PATCH v3 1/4] misc: fastrpc: Save actual DMA size in fastrpc_map structure Date: Thu, 7 Aug 2025 15:34:17 +0530 Message-ID: <20250807100420.1163967-2-quic_lxu5@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250807100420.1163967-1-quic_lxu5@quicinc.com> References: <20250807100420.1163967-1-quic_lxu5@quicinc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01c.na.qualcomm.com (10.45.79.139) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: L_5vc8yWW-FlF5f4y_W9vN0FqyZwUEXF X-Authority-Analysis: v=2.4 cv=MrlS63ae c=1 sm=1 tr=0 ts=68947a39 cx=c_pps a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=COk6AnOGAAAA:8 a=xfFNeJADx1FHDao19vwA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOSBTYWx0ZWRfX+HpSXYNuk5Mc wqJ4eGW17a/X/NhiZl7b5IakrErNmXKjEjEhlCOZ7xBZEKiDTpcZ5+Dk8hgQYDa/gWW2Vtfw0w3 s57q5mq+5OS9scotcxWEbfUQvlVU/6y0yIlpcVoDodPxPXLIzxa2GGdnAno9P3J2Z3yGAAwkIox g+GJ/ecKUUa5GWv6Dzn/SmQ8rqoGzbucubd8hSJ1GxGSroohtyDtnFsfPfPsi1F93E8c5OOOmy8 zb6q9hJyk3PpaN0uaoxodOB+JHnjmPK9kUkrMoJnuN1nIBbTCpGx1mbjp0uPj/qiyvMDBUmC/vC YqL36c3lQFFRwNeEPl2KO10kq3GzrfE9PfaIbBC8j2Ram6/Y9rHMwz5IGBxW08hRDbq9D3n/84X 0+dzzPJU X-Proofpoint-GUID: L_5vc8yWW-FlF5f4y_W9vN0FqyZwUEXF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-07_01,2025-08-06_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 adultscore=0 priorityscore=1501 phishscore=0 spamscore=0 bulkscore=0 clxscore=1015 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060009 Content-Type: text/plain; charset="utf-8" For user passed fd buffer, map is created using DMA calls. The map related information is stored in fastrpc_map structure. The actual DMA size is not stored in the structure. Store the actual size of buffer and check it against the user passed size. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Reviewed-by: Dmitry Baryshkov Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu --- drivers/misc/fastrpc.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 53e88a1bc430..52571916acd4 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -323,11 +323,11 @@ static void fastrpc_free_map(struct kref *ref) =20 perm.vmid =3D QCOM_SCM_VMID_HLOS; perm.perm =3D QCOM_SCM_PERM_RWX; - err =3D qcom_scm_assign_mem(map->phys, map->size, + err =3D qcom_scm_assign_mem(map->phys, map->len, &src_perms, &perm, 1); if (err) { dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size = 0x%llx err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); return; } } @@ -758,7 +758,8 @@ static int fastrpc_map_create(struct fastrpc_user *fl, = int fd, struct fastrpc_session_ctx *sess =3D fl->sctx; struct fastrpc_map *map =3D NULL; struct sg_table *table; - int err =3D 0; + struct scatterlist *sgl =3D NULL; + int err =3D 0, sgl_index =3D 0; =20 if (!fastrpc_map_lookup(fl, fd, ppmap, true)) return 0; @@ -798,7 +799,15 @@ static int fastrpc_map_create(struct fastrpc_user *fl,= int fd, map->phys =3D sg_dma_address(map->table->sgl); map->phys +=3D ((u64)fl->sctx->sid << 32); } - map->size =3D len; + for_each_sg(map->table->sgl, sgl, map->table->nents, + sgl_index) + map->size +=3D sg_dma_len(sgl); + if (len > map->size) { + dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n", + len, map->size); + err =3D -EINVAL; + goto map_err; + } map->va =3D sg_virt(map->table->sgl); map->len =3D len; =20 @@ -815,10 +824,10 @@ static int fastrpc_map_create(struct fastrpc_user *fl= , int fd, dst_perms[1].vmid =3D fl->cctx->vmperms[0].vmid; dst_perms[1].perm =3D QCOM_SCM_PERM_RWX; map->attr =3D attr; - err =3D qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_p= erms, 2); + err =3D qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_pe= rms, 2); if (err) { dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%ll= x err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); goto map_err; } } @@ -2046,7 +2055,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f= l, char __user *argp) args[0].length =3D sizeof(req_msg); =20 pages.addr =3D map->phys; - pages.size =3D map->size; + pages.size =3D map->len; =20 args[1].ptr =3D (u64) (uintptr_t) &pages; args[1].length =3D sizeof(pages); @@ -2061,7 +2070,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f= l, char __user *argp) err =3D fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[= 0]); if (err) { dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n", - req.fd, req.vaddrin, map->size); + req.fd, req.vaddrin, map->len); goto err_invoke; } =20 @@ -2074,7 +2083,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f= l, char __user *argp) if (copy_to_user((void __user *)argp, &req, sizeof(req))) { /* unmap the memory and release the buffer */ req_unmap.vaddr =3D (uintptr_t) rsp_msg.vaddr; - req_unmap.length =3D map->size; + req_unmap.length =3D map->len; fastrpc_req_mem_unmap_impl(fl, &req_unmap); return -EFAULT; } --=20 2.34.1 From nobody Sun Oct 5 07:26:05 2025 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13A6C79E1; Thu, 7 Aug 2025 10:04:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561095; cv=none; b=o+xEMFClD4YVbjI6EErWmWTyNp1FlG1yQXDXyKqHm82Y7ucbuHo2p1UhkEitz+g7mh3NRChJeiUIsDtxlf56VZcQKOWhlICxVKydk4mPyimB676zQaM6bGxQ2atkPhSSl7FWub4wmzZnzad5Jy1YM10Lp4TEcUtobQ/MCVZ2rwc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561095; c=relaxed/simple; bh=Tbjky5g1OwCVsI083I/HAqwmAGqqRSKNINutUAOZXTs=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=mZP0CFJKIyc+Falop35/XRumesrW+24l/RmF5u35bNHKZQpijqyhaWrC6sr3igTPfClQAdEoFJ3oQ2oyJXDQwmPUHQv/Hl+jY/awRmZ5x5xHN3Hw3+cb5lgO1xJdgz/rcsH8q30kK8hDKvMXqjRKYc816igmcvd3N+FYX7nFPZQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=GrqbdDJw; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="GrqbdDJw" Received: from pps.filterd (m0279867.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5779Cvaa018698; Thu, 7 Aug 2025 10:04:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= 7OHFuNXohkfV4ozRkN1gH5VFSe3G8oUlRlgFMpl9sQY=; b=GrqbdDJwDTK1N3kE RwT5KTcXGlBCy1IMQUbhy7THv5LYkNEWDDTaEZsQhsYZziHGsqGR1vCa+oOicpaR DfzyPIasKLXG9VdonCQogEfQdINsHDtaWTxfUxOwN222ZhdHKaWvSYkpqvLO40we VVx1GMjLp/65+xof9Zqqb6uP5UNre0uK3dTDNio4eVbT5kT+UKu2UPGBHcBCHJoc uQEsUpo3NS+dPmyg0Kv7GchvZoPdJA1Ma1sFLesweveB74KeM8kvZ5oJhD72/qZA uI+H0+CnNQghrKFEHnkN6MlGjb5G4FbBHYtg2ft21oRBiy8FZBpvGnrA9DcFkoKk TrrC/Q== Received: from nasanppmta01.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpy8dvr8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Aug 2025 10:04:45 +0000 (GMT) Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com [10.45.79.139]) by NASANPPMTA01.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 577A4i6K018037 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 7 Aug 2025 10:04:44 GMT Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Thu, 7 Aug 2025 03:04:41 -0700 From: Ling Xu To: , , , , , , , CC: , , , , , , , Ling Xu , Subject: [PATCH v3 2/4] misc: fastrpc: Fix fastrpc_map_lookup operation Date: Thu, 7 Aug 2025 15:34:18 +0530 Message-ID: <20250807100420.1163967-3-quic_lxu5@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250807100420.1163967-1-quic_lxu5@quicinc.com> References: <20250807100420.1163967-1-quic_lxu5@quicinc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01c.na.qualcomm.com (10.45.79.139) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: 6ex-ptwocF3JcTL_cMtIiMXIn5P6mLAb X-Proofpoint-ORIG-GUID: 6ex-ptwocF3JcTL_cMtIiMXIn5P6mLAb X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOSBTYWx0ZWRfXyid30ATBYr5Q Ip0pb6tC5mlpo543kE2MpfzbYS7tuxeJD/pjKOWOV7mNCyyiA1xNghUba9muMCgKBDdyiv8SnTr sxUs7a0ACGYhi43f1b6DOaCUR7kE6Y3O4FStJXzxTQS2d6xMWjEBJnp56Wrr9LEZBk8g/DmgKaq 4/YoFloA11OgRcLAO2ncaf8QFsokvjYvhWk7e1DBdZQGe0Gmt7wcIG1374UETiOzB/aXB3ozH3k I+uzy2FcCQpgUG5jri17/4o9uL7ZicUYWZ58imja48sf0MXiuSJrL7DX7o+9tBf7pDNK6Wv7WOE msbFygncPh+Qgmp3IAbapqUC512OhcxNKQuyB40H7ajlp/1hdrCJPOXqxsXTFqSQeaf/pM78G1z zGlez41U X-Authority-Analysis: v=2.4 cv=GrlC+l1C c=1 sm=1 tr=0 ts=68947a3d cx=c_pps a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=COk6AnOGAAAA:8 a=Gfd6DxS6oenDwON9uhEA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-07_01,2025-08-06_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 malwarescore=0 clxscore=1015 suspectscore=0 priorityscore=1501 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060009 Content-Type: text/plain; charset="utf-8" Fastrpc driver creates maps for user allocated fd buffers. Before creating a new map, the map list is checked for any already existing maps using map fd. Checking with just map fd is not sufficient as the user can pass offsetted buffer with less size when the map is created and then a larger size the next time which could result in memory issues. Check for dma_buf object also when looking up for the map. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov --- drivers/misc/fastrpc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 52571916acd4..1815b1e0c607 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -367,11 +367,16 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl= , int fd, { struct fastrpc_session_ctx *sess =3D fl->sctx; struct fastrpc_map *map =3D NULL; + struct dma_buf *buf; int ret =3D -ENOENT; =20 + buf =3D dma_buf_get(fd); + if (IS_ERR(buf)) + return PTR_ERR(buf); + spin_lock(&fl->lock); list_for_each_entry(map, &fl->maps, node) { - if (map->fd !=3D fd) + if (map->fd !=3D fd || map->buf !=3D buf) continue; =20 if (take_ref) { --=20 2.34.1 From nobody Sun Oct 5 07:26:05 2025 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77A0126E70B; Thu, 7 Aug 2025 10:04:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561099; cv=none; b=ZxJ9P5Om34eiYdb0jvgoPXP4lTvAtpe+6VjxyixLj0NN+q9gYPnuEWLpY/JQ4/tTf43VAjPDXsLUINkZs5HXtJWItY7TXrk7breSbSwcw1lv/m/RPXOisAj4Np6kYmeVYZTysti8iSxg3uVvwlPjDTAu529wHwuB8E/Zm0kycAw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561099; c=relaxed/simple; bh=IhlhuCRo0UQkF41FNhRfetdyeIHsFugkQoENB+yfmcU=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BaFmguMFQetw7LdrJcu4poGkieSSj0+B9WWAJw+HDE39ByAQ708NWYeXgbnitLM3Bcuz13THg8VFh+bnmy2yJ4NulK++zr0LTYz3QFkAId9ozJfLRKLz4q3dL780I3E7uTMzB6qbshL/Nb0KOFGf8BlkydVJFwkTQWwV2HSvm4g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=BoSI90Rr; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="BoSI90Rr" Received: from pps.filterd (m0279862.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5779DCpS003788; Thu, 7 Aug 2025 10:04:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= MXe93JXceflh8PvWfKGGoZ9LbYnD7R/AGqPp/QvmJmY=; b=BoSI90RrJzRA+0bT CyvG9QawT/HhZgNGDBZSVWaQQpabVCbNJ6P/C8QdtgfTkwX48mgLwKcyNIK6HQIV Liu3fAMjJ5YDOSToLFpcReVqIpq5BneFYDpJZRNlPfJTTJybLZpMNHvm2xUqwzUv b1Ous/eK7wLenVWLyvi6+QhBPsalKjVWkOz331vtH6MBn1Z6fyzsnZgZYvIh/NzS GHbl86AtDkoxseTCTtMfmxLF0lXO5F1BmsPkePJCKOy3LlJAwdUTPjyWYxJR7oFz 82IdMl1E4Syt62BL0535/Of028cqe2CBLeeXGKhsZ7U/UEdCOA0LU1lYHzMnQHtg RVbh7Q== Received: from nasanppmta04.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpyadva7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Aug 2025 10:04:49 +0000 (GMT) Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com [10.45.79.139]) by NASANPPMTA04.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 577A4nKq014180 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 7 Aug 2025 10:04:49 GMT Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Thu, 7 Aug 2025 03:04:45 -0700 From: Ling Xu To: , , , , , , , CC: , , , , , , , Ling Xu , Subject: [PATCH v3 3/4] misc: fastrpc: fix possible map leak in fastrpc_put_args Date: Thu, 7 Aug 2025 15:34:19 +0530 Message-ID: <20250807100420.1163967-4-quic_lxu5@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250807100420.1163967-1-quic_lxu5@quicinc.com> References: <20250807100420.1163967-1-quic_lxu5@quicinc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01c.na.qualcomm.com (10.45.79.139) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: 2InUnzV_pmRDese2MSNymiOaOCl6OlfP X-Authority-Analysis: v=2.4 cv=MrlS63ae c=1 sm=1 tr=0 ts=68947a41 cx=c_pps a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=COk6AnOGAAAA:8 a=Op9FgWJ_R3wbKKMAuNAA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOSBTYWx0ZWRfX9NEf3B8OgLmK gjvHNvhneRH87gf5vXCI++gCtCr7WWc2ReAL3qxQEDMEnjG0k0YKd4S0ENei6m3GjdR8S5AystD QtafHyPMhgsCUH/eA2axYcqaTUagj6zwp8lHjbJ+SGF/Z7d7L3MNz6a0v9vzy+hZsPYkUea+RKk f5YMahuuXHbfW2veRtHxaxtw1jpcRH/Xo9KdpUVotnphIjUgOLfTugh/3QUMfa3yVYJMIWufDf1 86hstApBrmfAvWNabFBtuRWjVf6GA3qtC1KhZ5RBd4RzG5VQNtcaiNE39zpZYgN7BTYBhbzE7s5 YLEPekX66y0WwjevYFTXXGSKd7doDzEBGpDwNNXD8wUWTKQh+Bd4N/ww4rCzKOlZgVLVR8s5O7Q toJmjzor X-Proofpoint-GUID: 2InUnzV_pmRDese2MSNymiOaOCl6OlfP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-07_01,2025-08-06_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 adultscore=0 priorityscore=1501 phishscore=0 spamscore=0 bulkscore=0 clxscore=1015 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060009 Content-Type: text/plain; charset="utf-8" copy_to_user() failure would cause an early return without cleaning up the fdlist, which has been updated by the DSP. This could lead to map leak. Fix this by redirecting to a cleanup path on failure, ensuring that all mapped buffers are properly released before returning. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov --- drivers/misc/fastrpc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1815b1e0c607..d950a179bff8 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1085,6 +1085,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx= *ctx, struct fastrpc_phy_page *pages; u64 *fdlist; int i, inbufs, outbufs, handles; + int ret =3D 0; =20 inbufs =3D REMOTE_SCALARS_INBUFS(ctx->sc); outbufs =3D REMOTE_SCALARS_OUTBUFS(ctx->sc); @@ -1100,14 +1101,17 @@ static int fastrpc_put_args(struct fastrpc_invoke_c= tx *ctx, u64 len =3D rpra[i].buf.len; =20 if (!kernel) { - if (copy_to_user((void __user *)dst, src, len)) - return -EFAULT; + if (copy_to_user((void __user *)dst, src, len)) { + ret =3D -EFAULT; + goto cleanup_fdlist; + } } else { memcpy(dst, src, len); } } } =20 +cleanup_fdlist: /* Clean up fdlist which is updated by DSP */ for (i =3D 0; i < FASTRPC_MAX_FDLIST; i++) { if (!fdlist[i]) @@ -1116,7 +1120,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx= *ctx, fastrpc_map_put(mmap); } =20 - return 0; + return ret; } =20 static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, --=20 2.34.1 From nobody Sun Oct 5 07:26:05 2025 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3DDEC231A21; Thu, 7 Aug 2025 10:05:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561103; cv=none; b=SeHJtBuyzQbYNg6qhr4P1LUnEbHSnVtT5xBD6Ydr2EoSpas/nHJLxEnC9YCiZJMkL+fhOIR9P/PVhvEtBxVCMJXQZ2P3r/abcUroEAwfExI4CtqCiqcHhn3Do5M1KdhR9J8RUb00xsuCTaXt3zSTRyfoAh+OlcQCRrt9bUEnYzg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754561103; c=relaxed/simple; bh=A/JowLnmSpCL9avh5YQTg3QdSoTKw5mpKJBs7LZye7E=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Zq5shROPg3dfQmMDpvlIrA07UW3xLKp0QqTUbhHEUW7nZ8U//epzEDjQu/cj6iMRm6ABiMZ43cDK4S4N/fjlQj88oxvuon774wl9sECW87X6NngKvNVnPMgGzht8ZLKbFly8NQ9PZ2ZZ5a7gw7c8Ml1GmHWyyirMg+VGnKgDO9g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=Lwc9EOJm; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="Lwc9EOJm" Received: from pps.filterd (m0279866.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5779CwA2007847; Thu, 7 Aug 2025 10:04:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= Vyf0xwmhP92Mwo4PbTPRntr/zDdeoPQlWv/OuSA0+SI=; b=Lwc9EOJmx5GpIEun TWzn1WvRQI7CVd96ALm+QzPPxuVAZ8V4KGUXbc9eL9KrEtfwSUhVzd613ik90+za LuYs8rKjeUO6wgmtfMfb/sB+qWFQTpGIisJDy6L6XPywJcXD8dT44flPAf4yd41F HNtNMEYKvfdV30UgbXeNuDYqtVQbFzz7PSHqKj6vUTIihIJxHklzylUGrFAOLK6j MbEZ51zOtqGWqcx/L3bC80c+ycNF8kiChsNJcLTC8awOkKyZr82F+B0qtISDHP7c 8FdpMmR4H5m2MLEOKZUEFeVAdU9gq67Q/zDA1C5CcIq4bBG1ilqV8DXpXtk0Kg7z y8MyOA== Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48bpy6wwed-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Aug 2025 10:04:54 +0000 (GMT) Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com [10.45.79.139]) by NASANPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 577A4rUV032620 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 7 Aug 2025 10:04:53 GMT Received: from hu-lxu5-sha.qualcomm.com (10.80.80.8) by nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Thu, 7 Aug 2025 03:04:49 -0700 From: Ling Xu To: , , , , , , , CC: , , , , , , , Ling Xu , Subject: [PATCH v3 4/4] misc: fastrpc: Skip reference for DMA handles Date: Thu, 7 Aug 2025 15:34:20 +0530 Message-ID: <20250807100420.1163967-5-quic_lxu5@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250807100420.1163967-1-quic_lxu5@quicinc.com> References: <20250807100420.1163967-1-quic_lxu5@quicinc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01c.na.qualcomm.com (10.45.79.139) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: L2Oc6XP0gmO5b2gUcw5IW7s8wTzTA4Sb X-Proofpoint-GUID: L2Oc6XP0gmO5b2gUcw5IW7s8wTzTA4Sb X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODA2MDAwOSBTYWx0ZWRfX/OuBuY/75TOg xGXG25jV1QUWPyVnvjQnaKEDPzD+SjRIiTQNRA84eh1dICaSJx+PGx0roI8Wwcs0OKn65FNq/A3 51Lf5iGjWdspLPB/zRV9ejUQNOAr3N8r4gbFanngcgcWdLvqVxwbjczxRY7i70+tTMpFryduGqI eZS+bSc/n+6ZrGJ7Wbl7vJc+hw0ni/pKuLNcJeXObeIiswAnkfzz/2ufdGpPWd0VwqBFo9hTwAX iXEafEZkfbuTsjkyEicxeT5889LVTCm9NQKoCdLLausC2csE1RXeBsRbhEjbTs+EAJCIkUsin4T lYnOrx0rpezM7d31QcCwkRF8Yq5kBpSFNDxtsd3KdDztp9TkcBRSBsDxeiKt/2sPxiNyKdm1eTy Df6uLVEn X-Authority-Analysis: v=2.4 cv=LNVmQIW9 c=1 sm=1 tr=0 ts=68947a46 cx=c_pps a=JYp8KDb2vCoCEuGobkYCKw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17 a=GEpy-HfZoHoA:10 a=2OwXVqhp2XgA:10 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=COk6AnOGAAAA:8 a=65MDuzgJ9_6jycvYPFoA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-07_01,2025-08-06_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 clxscore=1015 malwarescore=0 adultscore=0 phishscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508060009 Content-Type: text/plain; charset="utf-8" If multiple dma handles are passed with same fd over a remote call the kernel driver takes a reference and expects that put for the map will be called as many times to free the map. But DSP only updates the fd one time in the fd list when the DSP refcount goes to zero and hence kernel make put call only once for the fd. This can cause SMMU fault issue as the same fd can be used in future for some other call. Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov --- drivers/misc/fastrpc.c | 45 +++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index d950a179bff8..7eec907ed454 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -363,9 +363,8 @@ static int fastrpc_map_get(struct fastrpc_map *map) =20 =20 static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, - struct fastrpc_map **ppmap, bool take_ref) + struct fastrpc_map **ppmap) { - struct fastrpc_session_ctx *sess =3D fl->sctx; struct fastrpc_map *map =3D NULL; struct dma_buf *buf; int ret =3D -ENOENT; @@ -379,15 +378,6 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl,= int fd, if (map->fd !=3D fd || map->buf !=3D buf) continue; =20 - if (take_ref) { - ret =3D fastrpc_map_get(map); - if (ret) { - dev_dbg(sess->dev, "%s: Failed to get map fd=3D%d ret=3D%d\n", - __func__, fd, ret); - break; - } - } - *ppmap =3D map; ret =3D 0; break; @@ -757,7 +747,7 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops =3D= { .release =3D fastrpc_release, }; =20 -static int fastrpc_map_create(struct fastrpc_user *fl, int fd, +static int fastrpc_map_attach(struct fastrpc_user *fl, int fd, u64 len, u32 attr, struct fastrpc_map **ppmap) { struct fastrpc_session_ctx *sess =3D fl->sctx; @@ -766,9 +756,6 @@ static int fastrpc_map_create(struct fastrpc_user *fl, = int fd, struct scatterlist *sgl =3D NULL; int err =3D 0, sgl_index =3D 0; =20 - if (!fastrpc_map_lookup(fl, fd, ppmap, true)) - return 0; - map =3D kzalloc(sizeof(*map), GFP_KERNEL); if (!map) return -ENOMEM; @@ -853,6 +840,24 @@ static int fastrpc_map_create(struct fastrpc_user *fl,= int fd, return err; } =20 +static int fastrpc_map_create(struct fastrpc_user *fl, int fd, + u64 len, u32 attr, struct fastrpc_map **ppmap) +{ + struct fastrpc_session_ctx *sess =3D fl->sctx; + int err =3D 0; + + if (!fastrpc_map_lookup(fl, fd, ppmap)) { + if (!fastrpc_map_get(*ppmap)) + return 0; + dev_dbg(sess->dev, "%s: Failed to get map fd=3D%d\n", + __func__, fd); + } + + err =3D fastrpc_map_attach(fl, fd, len, attr, ppmap); + + return err; +} + /* * Fastrpc payload buffer with metadata looks like: * @@ -925,8 +930,12 @@ static int fastrpc_create_maps(struct fastrpc_invoke_c= tx *ctx) ctx->args[i].length =3D=3D 0) continue; =20 - err =3D fastrpc_map_create(ctx->fl, ctx->args[i].fd, - ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + if (i < ctx->nbufs) + err =3D fastrpc_map_create(ctx->fl, ctx->args[i].fd, + ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + else + err =3D fastrpc_map_attach(ctx->fl, ctx->args[i].fd, + ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); if (err) { dev_err(dev, "Error Creating map %d\n", err); return -EINVAL; @@ -1116,7 +1125,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx= *ctx, for (i =3D 0; i < FASTRPC_MAX_FDLIST; i++) { if (!fdlist[i]) break; - if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) + if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap)) fastrpc_map_put(mmap); } =20 --=20 2.34.1