From nobody Thu Oct 2 18:17:14 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4156530E0E3 for ; Fri, 12 Sep 2025 13:12:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682770; cv=none; b=d85rhF9H34ZfSCvyaEzmYmWU48racneVLXlW/9CvxN7S0jMF9OfypkfHs9Z7UyOklAXxZ6qagGARxxN37/BPGAB+FN5R/hTleL5AXczkBQ5GPhqDNz/4P3b49quCO3JK16eELtJio/XGsmMqCT20wSFUxYDuRh3DPDsyZhyVE7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682770; c=relaxed/simple; bh=0YBeKz/9RjMOw/hYk65mXjMvPHkyUPulYWuA//2lkwc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oJVERFmCBNAbur8VMlrNkhtHXZ206jbVA6RmzihKzevzswwynwDzMothm090YKyxEHQsnzonuBD7f9Lnu61KTV80K9tHNED3NR6ycg+EG7EzB0+1bDt5EGbyKqGF27egs/feDLFZIYw7fmXrvMB/0vO+ae0CePTw99vLcS3T6/o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=LMlKOSnB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="LMlKOSnB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 470BDC4CEF7; Fri, 12 Sep 2025 13:12:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757682769; bh=0YBeKz/9RjMOw/hYk65mXjMvPHkyUPulYWuA//2lkwc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LMlKOSnB64fIVYLR1dw+Hg5PaOV/nEHP+H6P0oUvOMvc5xwVAtRIQCryWWpcpfbiW GRtGAy9bqLpKHLF+EZ28Vn02dzE3A5g8BF5ztRWPxrMHISX48wHqBxrx6L2EByyYNO HN7hFjeIbPRX5jd9P0zp5P5Iyn1c0VAm2jMIZf0K34fCkIlyWuldwG49IgBEdB8A69 7nFFENdjbsNXP+9tJGTauMAqb0KiQq9iOS6EuhPTx/abOmMOOKPwD2vwrewPcakztA IbALy5RTj9H7hQ8ULPdB1BHJDAXUUnnKYZiUkTVWmtvyASOAa+E5LYPnfhgUsWVBNT deXXqPQlEGkAg== From: srini@kernel.org To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Ling Xu , stable@kernel.org, Dmitry Baryshkov , Ekansh Gupta , Dmitry Baryshkov , Srinivas Kandagatla Subject: [PATCH 1/4] misc: fastrpc: Save actual DMA size in fastrpc_map structure Date: Fri, 12 Sep 2025 14:12:33 +0100 Message-ID: <20250912131236.303102-2-srini@kernel.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250912131236.303102-1-srini@kernel.org> References: <20250912131236.303102-1-srini@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ling Xu For user passed fd buffer, map is created using DMA calls. The map related information is stored in fastrpc_map structure. The actual DMA size is not stored in the structure. Store the actual size of buffer and check it against the user passed size. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Reviewed-by: Dmitry Baryshkov Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov Signed-off-by: Srinivas Kandagatla --- drivers/misc/fastrpc.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 53e88a1bc430..52571916acd4 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -323,11 +323,11 @@ static void fastrpc_free_map(struct kref *ref) =20 perm.vmid =3D QCOM_SCM_VMID_HLOS; perm.perm =3D QCOM_SCM_PERM_RWX; - err =3D qcom_scm_assign_mem(map->phys, map->size, + err =3D qcom_scm_assign_mem(map->phys, map->len, &src_perms, &perm, 1); if (err) { dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size = 0x%llx err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); return; } } @@ -758,7 +758,8 @@ static int fastrpc_map_create(struct fastrpc_user *fl, = int fd, struct fastrpc_session_ctx *sess =3D fl->sctx; struct fastrpc_map *map =3D NULL; struct sg_table *table; - int err =3D 0; + struct scatterlist *sgl =3D NULL; + int err =3D 0, sgl_index =3D 0; =20 if (!fastrpc_map_lookup(fl, fd, ppmap, true)) return 0; @@ -798,7 +799,15 @@ static int fastrpc_map_create(struct fastrpc_user *fl,= int fd, map->phys =3D sg_dma_address(map->table->sgl); map->phys +=3D ((u64)fl->sctx->sid << 32); } - map->size =3D len; + for_each_sg(map->table->sgl, sgl, map->table->nents, + sgl_index) + map->size +=3D sg_dma_len(sgl); + if (len > map->size) { + dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n", + len, map->size); + err =3D -EINVAL; + goto map_err; + } map->va =3D sg_virt(map->table->sgl); map->len =3D len; =20 @@ -815,10 +824,10 @@ static int fastrpc_map_create(struct fastrpc_user *fl= , int fd, dst_perms[1].vmid =3D fl->cctx->vmperms[0].vmid; dst_perms[1].perm =3D QCOM_SCM_PERM_RWX; map->attr =3D attr; - err =3D qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_p= erms, 2); + err =3D qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_pe= rms, 2); if (err) { dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%ll= x err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); goto map_err; } } @@ -2046,7 +2055,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f= l, char __user *argp) args[0].length =3D sizeof(req_msg); =20 pages.addr =3D map->phys; - pages.size =3D map->size; + pages.size =3D map->len; =20 args[1].ptr =3D (u64) (uintptr_t) &pages; args[1].length =3D sizeof(pages); @@ -2061,7 +2070,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f= l, char __user *argp) err =3D fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[= 0]); if (err) { dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n", - req.fd, req.vaddrin, map->size); + req.fd, req.vaddrin, map->len); goto err_invoke; } =20 @@ -2074,7 +2083,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f= l, char __user *argp) if (copy_to_user((void __user *)argp, &req, sizeof(req))) { /* unmap the memory and release the buffer */ req_unmap.vaddr =3D (uintptr_t) rsp_msg.vaddr; - req_unmap.length =3D map->size; + req_unmap.length =3D map->len; fastrpc_req_mem_unmap_impl(fl, &req_unmap); return -EFAULT; } --=20 2.50.0 From nobody Thu Oct 2 18:17:14 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E887B30EF90 for ; Fri, 12 Sep 2025 13:12:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682773; cv=none; b=jl4u4mSwL/5+7zkeEzdzHiswiY6obaU+b+FcIVt1cbxudnSbg/z02lHY+OqWY144Ql5Ft8XL9vOuhBGzeZwjM3EpKyyXfXJXjjkDybD2WrMX65luCe/AL90HpnU8x7bgxcQqvNWZMUfBDMqvdOVG65f9cpBQ1AcJJ5T5CUhqhBU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682773; c=relaxed/simple; bh=tdwo+nYVdYg7cQqJ6RkgwgBb8l3EtRx9h1/tdvcwODk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XqVksnkv8dvvsYMxEukTnWJJT14fQ8IlTCSCxMu5HAVnqRWtqcNYTYC6bFgiDk3enCcjletRBpj76LNAp0tXZVLUAh4qPkGLSYseAUNfkDm9xrXB0AFRMVgQb2aGvuJbpY6C2nfMDZ2gqxstgummOFtDBl6bmskVGxT2YFuU9D8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IEsU7onV; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IEsU7onV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30984C4CEF1; Fri, 12 Sep 2025 13:12:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757682771; bh=tdwo+nYVdYg7cQqJ6RkgwgBb8l3EtRx9h1/tdvcwODk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IEsU7onVCQUb1Hfd450lYShrEII9Y5vT1s1wZMLomH7yTPE15pyw/CUe1qBa9YyPD c63e6UYl95303xllOoGtcTdV66nhOGqrUMicxUw7GT6cH8Pd+yooScpv7wBXBAN8l+ PytEjrNcBPYMBONlk0IZulW9Xk8dAUiBiDZdwZxeB1eZNjQjpfnQP+LmWvhILHn6vs aFXPffE1c0d15fK3jzre5zq/h3gcQoGc1ENal0ngLaCnt6ppXTLhelxtE7v0dCUbBO GJI96smcQ0YGJ7zIcRRuTEyESmGL+QV9cV9j++l0uCMCEPYBK2Vt4MjDmc6cvT0pGI a5JksJuDQ7QcA== From: srini@kernel.org To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Ling Xu , stable@kernel.org, Ekansh Gupta , Dmitry Baryshkov , Srinivas Kandagatla Subject: [PATCH 2/4] misc: fastrpc: Fix fastrpc_map_lookup operation Date: Fri, 12 Sep 2025 14:12:34 +0100 Message-ID: <20250912131236.303102-3-srini@kernel.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250912131236.303102-1-srini@kernel.org> References: <20250912131236.303102-1-srini@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ling Xu Fastrpc driver creates maps for user allocated fd buffers. Before creating a new map, the map list is checked for any already existing maps using map fd. Checking with just map fd is not sufficient as the user can pass offsetted buffer with less size when the map is created and then a larger size the next time which could result in memory issues. Check for dma_buf object also when looking up for the map. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov Signed-off-by: Srinivas Kandagatla --- drivers/misc/fastrpc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 52571916acd4..1815b1e0c607 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -367,11 +367,16 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl= , int fd, { struct fastrpc_session_ctx *sess =3D fl->sctx; struct fastrpc_map *map =3D NULL; + struct dma_buf *buf; int ret =3D -ENOENT; =20 + buf =3D dma_buf_get(fd); + if (IS_ERR(buf)) + return PTR_ERR(buf); + spin_lock(&fl->lock); list_for_each_entry(map, &fl->maps, node) { - if (map->fd !=3D fd) + if (map->fd !=3D fd || map->buf !=3D buf) continue; =20 if (take_ref) { --=20 2.50.0 From nobody Thu Oct 2 18:17:14 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB31330F550 for ; Fri, 12 Sep 2025 13:12:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682773; cv=none; b=SMd1hyo+hdtZ8N2N2Qv9vBquoPKqdPTf7QO2y2jQ8vyavw2h7zzh9fQni4z8mlGiDqmPGEpj4tXHM1Do8e29g5V4oHYyCoC2mUtsx22hndt30yvK5hftj+w8YhY3ZCfm20b94M+o9kTHRGIQMgDl1E2xhaUI2t2siOLSaH2K5/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682773; c=relaxed/simple; bh=+xx2VY3aD/YgRxevcSVG/la82v/g8H19CdvdLzDejJI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=io3bUW0AAMDN/admcchdWpChuH58jzPC1nBvsYlkC7S5GvNQQnm/Bxu2K+WowSqLBthYlTgmPHgniriy7BCuHDMuKEoN/yQtRmiwLttMVWMIOgdEyiL+CQCShBwfCXrkJOrnL/+6YpTSoBu+UNfey0RhxQbsF1NCTCl7CXXCBsw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HyxZQlgk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HyxZQlgk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E31B3C4CEFA; Fri, 12 Sep 2025 13:12:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757682773; bh=+xx2VY3aD/YgRxevcSVG/la82v/g8H19CdvdLzDejJI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HyxZQlgkH+gjGDyuFUxocvoglWbOdT5VBiJCmup57a48oLyxlR80XBEMY2LEuwLgI NPbTdKf5bnwqbOeFY/KtqAhmLvSAIWzMohQokTetbDH71A6mvHiQAp8lJPqnffRHlW Ck9dF5Z4jUOSeFpmswEE0VNuqEY+3i38nmURQFuuz5/LbvttWumdyeWuCkz/V5LChU XQE2zSrEPFaBGcBgMwCRCIzldp4Gqk0IVcnNP3R2bwWA+dHhq8ga78VXfqwAiXLNUn YWMPBbp1uNuhc9kgGJPFxubj9yr55nF1Q2mndDRUDL0RX5z2HlI0071OXYH54EBIH/ J5i2A5u/+Akng== From: srini@kernel.org To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Ling Xu , stable@kernel.org, Ekansh Gupta , Dmitry Baryshkov , Srinivas Kandagatla Subject: [PATCH 3/4] misc: fastrpc: fix possible map leak in fastrpc_put_args Date: Fri, 12 Sep 2025 14:12:35 +0100 Message-ID: <20250912131236.303102-4-srini@kernel.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250912131236.303102-1-srini@kernel.org> References: <20250912131236.303102-1-srini@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ling Xu copy_to_user() failure would cause an early return without cleaning up the fdlist, which has been updated by the DSP. This could lead to map leak. Fix this by redirecting to a cleanup path on failure, ensuring that all mapped buffers are properly released before returning. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov Signed-off-by: Srinivas Kandagatla --- drivers/misc/fastrpc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1815b1e0c607..d950a179bff8 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1085,6 +1085,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx= *ctx, struct fastrpc_phy_page *pages; u64 *fdlist; int i, inbufs, outbufs, handles; + int ret =3D 0; =20 inbufs =3D REMOTE_SCALARS_INBUFS(ctx->sc); outbufs =3D REMOTE_SCALARS_OUTBUFS(ctx->sc); @@ -1100,14 +1101,17 @@ static int fastrpc_put_args(struct fastrpc_invoke_c= tx *ctx, u64 len =3D rpra[i].buf.len; =20 if (!kernel) { - if (copy_to_user((void __user *)dst, src, len)) - return -EFAULT; + if (copy_to_user((void __user *)dst, src, len)) { + ret =3D -EFAULT; + goto cleanup_fdlist; + } } else { memcpy(dst, src, len); } } } =20 +cleanup_fdlist: /* Clean up fdlist which is updated by DSP */ for (i =3D 0; i < FASTRPC_MAX_FDLIST; i++) { if (!fdlist[i]) @@ -1116,7 +1120,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx= *ctx, fastrpc_map_put(mmap); } =20 - return 0; + return ret; } =20 static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, --=20 2.50.0 From nobody Thu Oct 2 18:17:14 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 632C03101B5 for ; Fri, 12 Sep 2025 13:12:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682776; cv=none; b=u0dLnJOljvxC6fmM0UIfdnXXkmY0TFNnF72xQIRNHaJ+GUhoY80J+SSbSPKoPFXv7g+wC5j8h+ZjMJm8u5bdaTE8ByLHqRvHfO+XZjSCwIPQw93d45sTudKKRfi4jznwDI3UXm2haSQ5jycfYEhG8S60Kvk5hGbmi0qowyD8hYA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757682776; c=relaxed/simple; bh=eGV2y5TFSFQkteHzHzoS4O4WMQxEMS72NLxJWUbTZMc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iRZAQlBjLvDQQKIyvDvimZPKndXDPWhOtOgr5akXqZNwDshTbrpoeNm5Hfx0g6mNEJXuzurLU17ErFUkdLLvHafzdyMdTNntJ3CC+QKZ8hW6UerFJsMajt3sJKCw7zhPuqmyrMmcw6qthqyGg32Evmf9CCVMfa7NMYWK7cEo2Qw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZafejnTu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZafejnTu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A2817C4CEF1; Fri, 12 Sep 2025 13:12:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757682775; bh=eGV2y5TFSFQkteHzHzoS4O4WMQxEMS72NLxJWUbTZMc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZafejnTuVvUBdDciIeWJrJGIuYDL19u8Nk68tFOa/c25CVG50YB/7qPfg+mlTstrh Ct1uWhdvXqAl+6BXY5knGfKcI+QHtf9yu+1Zro5NpNo0wKOHDn3gWF42rZO5m1ykyy g5aaKkOHzOS5M7fAHpSO1u+7AaHSMOEliN/UIGaw4pCBU4I6ZrP+AwP+Zzip2YdB9I AP4qTy+rNbaejRar3TOb+BafqeVYXqcdhdSiv64iOLNb1sgw/S+CBy0sUPnWqqW2C2 CKY+4AYOyojdCezpZX5FTCzV05mNkcNcP3SFih0AsGDG/ZRbEjvvo57qOIFze/oNWW ZtPkUUYHT30xg== From: srini@kernel.org To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Ling Xu , stable@kernel.org, Ekansh Gupta , Dmitry Baryshkov , Srinivas Kandagatla Subject: [PATCH 4/4] misc: fastrpc: Skip reference for DMA handles Date: Fri, 12 Sep 2025 14:12:36 +0100 Message-ID: <20250912131236.303102-5-srini@kernel.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250912131236.303102-1-srini@kernel.org> References: <20250912131236.303102-1-srini@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ling Xu If multiple dma handles are passed with same fd over a remote call the kernel driver takes a reference and expects that put for the map will be called as many times to free the map. But DSP only updates the fd one time in the fd list when the DSP refcount goes to zero and hence kernel make put call only once for the fd. This can cause SMMU fault issue as the same fd can be used in future for some other call. Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta Signed-off-by: Ekansh Gupta Signed-off-by: Ling Xu Reviewed-by: Dmitry Baryshkov Signed-off-by: Srinivas Kandagatla --- drivers/misc/fastrpc.c | 45 +++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index d950a179bff8..7eec907ed454 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -363,9 +363,8 @@ static int fastrpc_map_get(struct fastrpc_map *map) =20 =20 static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, - struct fastrpc_map **ppmap, bool take_ref) + struct fastrpc_map **ppmap) { - struct fastrpc_session_ctx *sess =3D fl->sctx; struct fastrpc_map *map =3D NULL; struct dma_buf *buf; int ret =3D -ENOENT; @@ -379,15 +378,6 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl,= int fd, if (map->fd !=3D fd || map->buf !=3D buf) continue; =20 - if (take_ref) { - ret =3D fastrpc_map_get(map); - if (ret) { - dev_dbg(sess->dev, "%s: Failed to get map fd=3D%d ret=3D%d\n", - __func__, fd, ret); - break; - } - } - *ppmap =3D map; ret =3D 0; break; @@ -757,7 +747,7 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops =3D= { .release =3D fastrpc_release, }; =20 -static int fastrpc_map_create(struct fastrpc_user *fl, int fd, +static int fastrpc_map_attach(struct fastrpc_user *fl, int fd, u64 len, u32 attr, struct fastrpc_map **ppmap) { struct fastrpc_session_ctx *sess =3D fl->sctx; @@ -766,9 +756,6 @@ static int fastrpc_map_create(struct fastrpc_user *fl, = int fd, struct scatterlist *sgl =3D NULL; int err =3D 0, sgl_index =3D 0; =20 - if (!fastrpc_map_lookup(fl, fd, ppmap, true)) - return 0; - map =3D kzalloc(sizeof(*map), GFP_KERNEL); if (!map) return -ENOMEM; @@ -853,6 +840,24 @@ static int fastrpc_map_create(struct fastrpc_user *fl,= int fd, return err; } =20 +static int fastrpc_map_create(struct fastrpc_user *fl, int fd, + u64 len, u32 attr, struct fastrpc_map **ppmap) +{ + struct fastrpc_session_ctx *sess =3D fl->sctx; + int err =3D 0; + + if (!fastrpc_map_lookup(fl, fd, ppmap)) { + if (!fastrpc_map_get(*ppmap)) + return 0; + dev_dbg(sess->dev, "%s: Failed to get map fd=3D%d\n", + __func__, fd); + } + + err =3D fastrpc_map_attach(fl, fd, len, attr, ppmap); + + return err; +} + /* * Fastrpc payload buffer with metadata looks like: * @@ -925,8 +930,12 @@ static int fastrpc_create_maps(struct fastrpc_invoke_c= tx *ctx) ctx->args[i].length =3D=3D 0) continue; =20 - err =3D fastrpc_map_create(ctx->fl, ctx->args[i].fd, - ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + if (i < ctx->nbufs) + err =3D fastrpc_map_create(ctx->fl, ctx->args[i].fd, + ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + else + err =3D fastrpc_map_attach(ctx->fl, ctx->args[i].fd, + ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); if (err) { dev_err(dev, "Error Creating map %d\n", err); return -EINVAL; @@ -1116,7 +1125,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx= *ctx, for (i =3D 0; i < FASTRPC_MAX_FDLIST; i++) { if (!fdlist[i]) break; - if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) + if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap)) fastrpc_map_put(mmap); } =20 --=20 2.50.0