From nobody Thu Oct  2 19:35:14 2025
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4156530E0E3
	for <linux-kernel@vger.kernel.org>; Fri, 12 Sep 2025 13:12:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1757682770; cv=none;
 b=d85rhF9H34ZfSCvyaEzmYmWU48racneVLXlW/9CvxN7S0jMF9OfypkfHs9Z7UyOklAXxZ6qagGARxxN37/BPGAB+FN5R/hTleL5AXczkBQ5GPhqDNz/4P3b49quCO3JK16eELtJio/XGsmMqCT20wSFUxYDuRh3DPDsyZhyVE7o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1757682770; c=relaxed/simple;
	bh=0YBeKz/9RjMOw/hYk65mXjMvPHkyUPulYWuA//2lkwc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=oJVERFmCBNAbur8VMlrNkhtHXZ206jbVA6RmzihKzevzswwynwDzMothm090YKyxEHQsnzonuBD7f9Lnu61KTV80K9tHNED3NR6ycg+EG7EzB0+1bDt5EGbyKqGF27egs/feDLFZIYw7fmXrvMB/0vO+ae0CePTw99vLcS3T6/o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=LMlKOSnB; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="LMlKOSnB"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 470BDC4CEF7;
	Fri, 12 Sep 2025 13:12:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1757682769;
	bh=0YBeKz/9RjMOw/hYk65mXjMvPHkyUPulYWuA//2lkwc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=LMlKOSnB64fIVYLR1dw+Hg5PaOV/nEHP+H6P0oUvOMvc5xwVAtRIQCryWWpcpfbiW
	 GRtGAy9bqLpKHLF+EZ28Vn02dzE3A5g8BF5ztRWPxrMHISX48wHqBxrx6L2EByyYNO
	 HN7hFjeIbPRX5jd9P0zp5P5Iyn1c0VAm2jMIZf0K34fCkIlyWuldwG49IgBEdB8A69
	 7nFFENdjbsNXP+9tJGTauMAqb0KiQq9iOS6EuhPTx/abOmMOOKPwD2vwrewPcakztA
	 IbALy5RTj9H7hQ8ULPdB1BHJDAXUUnnKYZiUkTVWmtvyASOAa+E5LYPnfhgUsWVBNT
	 deXXqPQlEGkAg==
From: srini@kernel.org
To: gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org,
	Ling Xu <quic_lxu5@quicinc.com>,
	stable@kernel.org,
	Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>,
	Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>,
	Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
	Srinivas Kandagatla <srini@kernel.org>
Subject: [PATCH 1/4] misc: fastrpc: Save actual DMA size in fastrpc_map
 structure
Date: Fri, 12 Sep 2025 14:12:33 +0100
Message-ID: <20250912131236.303102-2-srini@kernel.org>
X-Mailer: git-send-email 2.50.0
In-Reply-To: <20250912131236.303102-1-srini@kernel.org>
References: <20250912131236.303102-1-srini@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ling Xu <quic_lxu5@quicinc.com>

For user passed fd buffer, map is created using DMA calls. The
map related information is stored in fastrpc_map structure. The
actual DMA size is not stored in the structure. Store the actual
size of buffer and check it against the user passed size.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
---
 drivers/misc/fastrpc.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 53e88a1bc430..52571916acd4 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -323,11 +323,11 @@ static void fastrpc_free_map(struct kref *ref)
=20
 			perm.vmid =3D QCOM_SCM_VMID_HLOS;
 			perm.perm =3D QCOM_SCM_PERM_RWX;
-			err =3D qcom_scm_assign_mem(map->phys, map->size,
+			err =3D qcom_scm_assign_mem(map->phys, map->len,
 				&src_perms, &perm, 1);
 			if (err) {
 				dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size =
0x%llx err %d\n",
-						map->phys, map->size, err);
+						map->phys, map->len, err);
 				return;
 			}
 		}
@@ -758,7 +758,8 @@ static int fastrpc_map_create(struct fastrpc_user *fl, =
int fd,
 	struct fastrpc_session_ctx *sess =3D fl->sctx;
 	struct fastrpc_map *map =3D NULL;
 	struct sg_table *table;
-	int err =3D 0;
+	struct scatterlist *sgl =3D NULL;
+	int err =3D 0, sgl_index =3D 0;
=20
 	if (!fastrpc_map_lookup(fl, fd, ppmap, true))
 		return 0;
@@ -798,7 +799,15 @@ static int fastrpc_map_create(struct fastrpc_user *fl,=
 int fd,
 		map->phys =3D sg_dma_address(map->table->sgl);
 		map->phys +=3D ((u64)fl->sctx->sid << 32);
 	}
-	map->size =3D len;
+	for_each_sg(map->table->sgl, sgl, map->table->nents,
+		sgl_index)
+		map->size +=3D sg_dma_len(sgl);
+	if (len > map->size) {
+		dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n",
+				len, map->size);
+		err =3D -EINVAL;
+		goto map_err;
+	}
 	map->va =3D sg_virt(map->table->sgl);
 	map->len =3D len;
=20
@@ -815,10 +824,10 @@ static int fastrpc_map_create(struct fastrpc_user *fl=
, int fd,
 		dst_perms[1].vmid =3D fl->cctx->vmperms[0].vmid;
 		dst_perms[1].perm =3D QCOM_SCM_PERM_RWX;
 		map->attr =3D attr;
-		err =3D qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_p=
erms, 2);
+		err =3D qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_pe=
rms, 2);
 		if (err) {
 			dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%ll=
x err %d\n",
-					map->phys, map->size, err);
+					map->phys, map->len, err);
 			goto map_err;
 		}
 	}
@@ -2046,7 +2055,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f=
l, char __user *argp)
 	args[0].length =3D sizeof(req_msg);
=20
 	pages.addr =3D map->phys;
-	pages.size =3D map->size;
+	pages.size =3D map->len;
=20
 	args[1].ptr =3D (u64) (uintptr_t) &pages;
 	args[1].length =3D sizeof(pages);
@@ -2061,7 +2070,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f=
l, char __user *argp)
 	err =3D fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[=
0]);
 	if (err) {
 		dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n",
-			req.fd, req.vaddrin, map->size);
+			req.fd, req.vaddrin, map->len);
 		goto err_invoke;
 	}
=20
@@ -2074,7 +2083,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *f=
l, char __user *argp)
 	if (copy_to_user((void __user *)argp, &req, sizeof(req))) {
 		/* unmap the memory and release the buffer */
 		req_unmap.vaddr =3D (uintptr_t) rsp_msg.vaddr;
-		req_unmap.length =3D map->size;
+		req_unmap.length =3D map->len;
 		fastrpc_req_mem_unmap_impl(fl, &req_unmap);
 		return -EFAULT;
 	}
--=20
2.50.0