From nobody Thu Apr 16 17:33:33 2026 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 444703ED126 for ; Thu, 26 Feb 2026 15:11:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772118691; cv=none; b=D29qUiwWVj7c4w/wbZMVYsuVOrdTXbtJj1vajeiPpoQnrPJPvRmr9CjMhcs4Hnv0d1BWl5+EQ/tGa2oGQkXicby0m6Cqlc4qWBoDnC1pBroHKsWRoohrVyNSaUlaa/Li+O2q2tW9cTiCmkLjpTaWNDYt/nZDybCO8gNW9+MNNbM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772118691; c=relaxed/simple; bh=ZxyHhXSgA/a7eSsRPID2Lt1o5nPIFPEx/lFfjYE1EEY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=W32pyYjhuL1TGkZGx09GbHnRkB0JK0w3T6ug/uG8Vb5QNPJgvocTOh829eaWirwzsLgK8p0RodRKZSFbdxXjiaX9CBCmwprLfDaXtcQCEdwXSz0WC8RBG3jjehiDRKtGv6AnMENcV7umxCRcA9CuJi/wJtWxRBfmCEOOAoqcNBQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=a/fiImOP; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=bWQHc6bz; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="a/fiImOP"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="bWQHc6bz" Received: from pps.filterd (m0279865.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 61QAKmMt906851 for ; Thu, 26 Feb 2026 15:11:28 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=J0r3jYLWEnp/BWKHaJsNvzTVG8pjtsxStmS gUqG+I9k=; b=a/fiImOPkyv4qUrGb1smtEAsLLo920aD8vqm9O6JL8y8s9gF9qq gh6ERprUhPKzfiKi+iXcn2cI8Ev20UVKMaPvRl2fk4s6l/fDV3T0kookGGcA6W12 PKCoSgOx7sFetxd1402PyE0yoO4OoxwyphxG/GvQ8qFZaqT4ZmddETvkshg/91+v DiWTOO9+XkAL3Y1H+DQ+XPj9GT7RONaOjNl4mwSQr1Og1994tZIZ3E6sE8qVZSiL 79iONeUdkobm6WnErZpGGo/rcnNHoCpKxziHFjJgEA8ZPz8GS4JEq+7xfBfSrX09 19gRRucGswDVYMdulFt4fWqB7RfxIgogp4A== Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4cjk2v15gr-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Thu, 26 Feb 2026 15:11:28 +0000 (GMT) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-358e425c261so743288a91.3 for ; Thu, 26 Feb 2026 07:11:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1772118688; x=1772723488; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=J0r3jYLWEnp/BWKHaJsNvzTVG8pjtsxStmSgUqG+I9k=; b=bWQHc6bzAyLf4Y6HhLXBgCp9KZBr8nZ2iqUayrny0fZ0grXUv4UM7ae2LsmkjkoKYb hLLT2Ij3P4Bv2+fnUP75k9ufKEdn5MbyvuDb4iT/VdzDOERrfIQdRMxBwL0BmyOAS2Oy ddtcFQrF4FO1ZOS0zbjTv2cWQ2Cmsw/MjwU6S179Krxk9Cb8rWEbUwwF8qQe7JBBVTnb at/ookL2YqTgRbIHG68/+qcekQwNt8l09n7rZyGKzIcxvmfeX450Zr/hg6XcK+35kYiq fOiKfTcqIV5lIWrs7yjHfpPxQBFFpIAQub+jGg9KVL5tNZwF00SANfN2ecBWSaDcSe/W /8Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772118688; x=1772723488; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=J0r3jYLWEnp/BWKHaJsNvzTVG8pjtsxStmSgUqG+I9k=; b=H8/cko34lpVVxaJyGIx+1l2IJrEtIjqSNwLV9isGKDF6mMv9fGwo6Ex+52vKlkdDz/ TxN9v7pb5QhK+wDGd90N7ox/tIoL5vDcun5f8lFRtQR1s8ZHz7aYkEyu4Knf77wzKx25 jtKD2nxcLKRrI009ZExx0HL1DQL7tNHQ77pBX8vN2c4IzENmcE1QcPvDPfKvobo6k6ok YzbG4CUL1qB5x0b55pgqs51SCH3JiPYO6rc6Jfl/BxbQGa26JMjkBsWTr/EfkjADQx/I 9FKbPSPelo0vHgsz9WTN4IH1TAqyax6w8OcZ+HtosY01S1Uhff2/ZTAAw4xQJ5miyF8v o44w== X-Forwarded-Encrypted: i=1; AJvYcCU1qeb8UWh0KwmTTm9gCyCfQ5RyfLUg1pmcIE8zGPpewJr8qsklE7mKES7huFwKxiZvQl4IT4dWkRLjMwo=@vger.kernel.org X-Gm-Message-State: AOJu0Yw5nXJIUsSf3gJgetkr88/qOBAWSvX1Gq9VRnZMhBnc+ayQ4Kph Y9+K8g+qx9bL+IUcS1Hn3qH893ygQrW7PbaxhFDbUUdHRhePlTgeWMhKb1MC5AYK6/8NGzbqR+M 33+JUXDrmAi41swgSIOQbQKpxJZWidt1b2ksyFLhE/wZwqtngXk7NriIF781V7wOR0Z4= X-Gm-Gg: ATEYQzzXZg27CSiHkcqnmOjnjl5VoptoqsK40lndLJ5UBEJztHunNMEfQ0M+ik/mTHr mt2l6Er3IpYozbX1ZLSbaU0GSomNRCc5hqD1xPLYNpVkrwmPJOyOV6VGw3yqy9oBzpji+HQWxOx dBffUYtcHpZ63joYlvLp7YwgxsQ7ZQIeTo81xpVA4QtLGYURzIsSqAmoSbr7oTVYQXFrYf3WUxE JXAvR5PTwS0ZstNcBctqO+aQL/vDf7jQrUDq2wHtQCc7a5o5Xj8kzYHUrcqpwaB5f3dPjWZigWU IreC0L9eMuaX3c88N+nmA+vUjZ8YYxDFPvGQPkplvXXBFLtVMwZqmkrbV27igRgix8lFFPWGWs1 o/4iCNJSsmgQ9EVKYkcBwM1XsalnrbK4LX47ZW1AaPNbn X-Received: by 2002:a17:90a:d645:b0:354:a57c:65dd with SMTP id 98e67ed59e1d1-358ae8c2efcmr18642449a91.24.1772118687398; Thu, 26 Feb 2026 07:11:27 -0800 (PST) X-Received: by 2002:a17:90a:d645:b0:354:a57c:65dd with SMTP id 98e67ed59e1d1-358ae8c2efcmr18642420a91.24.1772118686829; Thu, 26 Feb 2026 07:11:26 -0800 (PST) Received: from hu-anane-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-359037af167sm6218250a91.15.2026.02.26.07.11.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 07:11:26 -0800 (PST) From: Anandu Krishnan E To: srini@kernel.org, linux-arm-msm@vger.kernel.org Cc: gregkh@linuxfoundation.org, quic_bkumar@quicinc.com, linux-kernel@vger.kernel.org, quic_chennak@quicinc.com, dri-devel@lists.freedesktop.org, arnd@arndb.de, ekansh.gupta@oss.qualcomm.com, stable@kernel.org Subject: [PATCH v1] misc: fastrpc: Add reference counting for fastrpc_user structure Date: Thu, 26 Feb 2026 20:41:21 +0530 Message-Id: <20260226151121.818852-1-anandu.e@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: IjB4bd3hm8WtzEQeHpAGVrnVq9jL5V_7 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjI2MDEzNyBTYWx0ZWRfX/o/FtM4D9rXo jOBNONGGwtu9PO8cZ/oylE9UQpAHVVPllcQ7L5Whif/s+Mp0Nngx6F6W8n7KJyS++TZUZkFYP5P l22LY9ecIMWP0AJJ9NuBZ9691urKVzaGa9/YWM/IgkDQmor+qUVGInVVMA8B2RQWEKOZYf3isTa X6j4VCGiec0MV+1fzCAcIzxU0hvIr34V4gWvOvugbwNuC6TjTLSh/5XQ79pe6bwksa/32pwjbLf lPQTJUgrduMZhIr8oarEgVcw/JhQzqp9KsNcPLIjb7xxzGy1UcHQhg5/yLQ5ZqSNLout0W7hQC/ DpjBBARcPNvlHSBWZzfLjFq4KUJB3Uzx74eKVr5cjCay2iF2Cw9V8gD07Fh+rN+cnCcqYakfOTZ LGBxmkoq+JsOogmkzD8eIqPYoXUnlc2tRUTJhYTXKF/sPrTIegs3vcKYRd6PS8z+ohuxP3bxJiF rJUHCO0htBHyG4EBCig== X-Authority-Analysis: v=2.4 cv=PO8COPqC c=1 sm=1 tr=0 ts=69a062a0 cx=c_pps a=0uOsjrqzRL749jD1oC5vDA==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=HzLeVaNsDn8A:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=Um2Pa8k9VHT-vaBCBUpS:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=ixtUXsZW3yA3m9atQOEA:9 a=mQ_c8vxmzFEMiUWkPHU9:22 X-Proofpoint-GUID: IjB4bd3hm8WtzEQeHpAGVrnVq9jL5V_7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-26_01,2026-02-26_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 adultscore=0 spamscore=0 phishscore=0 lowpriorityscore=0 clxscore=1011 priorityscore=1501 impostorscore=0 bulkscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2602260137 Content-Type: text/plain; charset="utf-8" Add reference counting using kref to the fastrpc_user structure to prevent use-after-free issues when contexts are freed from workqueue after device release. The issue occurs when fastrpc_device_release() frees the user structure while invoke contexts are still pending in the workqueue. When the workqueue later calls fastrpc_context_free(), it attempts to access buf->fl->cctx in fastrpc_buf_free(), leading to a use-after-free: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] ... fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Implement proper reference counting to fix this: - Initialize kref in fastrpc_device_open() - Take a reference in fastrpc_context_alloc() for each context - Release the reference in fastrpc_context_free() when context is freed - Release the initial reference in fastrpc_device_release() This ensures the user structure remains valid as long as there are contexts holding references to it, preventing the race condition. Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") Cc: stable@kernel.org Signed-off-by: Anandu Krishnan E --- drivers/misc/fastrpc.c | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 47356a5d5804..3ababcf327d7 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -310,6 +310,8 @@ struct fastrpc_user { spinlock_t lock; /* lock for allocations */ struct mutex mutex; + /* Reference count */ + struct kref refcount; }; =20 /* Extract SMMU PA from consolidated IOVA */ @@ -497,15 +499,36 @@ static void fastrpc_channel_ctx_put(struct fastrpc_ch= annel_ctx *cctx) kref_put(&cctx->refcount, fastrpc_channel_ctx_free); } =20 +static void fastrpc_user_free(struct kref *ref) +{ + struct fastrpc_user *fl =3D container_of(ref, struct fastrpc_user, refcou= nt); + + fastrpc_channel_ctx_put(fl->cctx); + mutex_destroy(&fl->mutex); + kfree(fl); +} + +static void fastrpc_user_get(struct fastrpc_user *fl) +{ + kref_get(&fl->refcount); +} + +static void fastrpc_user_put(struct fastrpc_user *fl) +{ + kref_put(&fl->refcount, fastrpc_user_free); +} + static void fastrpc_context_free(struct kref *ref) { struct fastrpc_invoke_ctx *ctx; struct fastrpc_channel_ctx *cctx; + struct fastrpc_user *fl; unsigned long flags; int i; =20 ctx =3D container_of(ref, struct fastrpc_invoke_ctx, refcount); cctx =3D ctx->cctx; + fl =3D ctx->fl; =20 for (i =3D 0; i < ctx->nbufs; i++) fastrpc_map_put(ctx->maps[i]); @@ -521,6 +544,8 @@ static void fastrpc_context_free(struct kref *ref) kfree(ctx->olaps); kfree(ctx); =20 + /* Release the reference taken in fastrpc_context_alloc() */ + fastrpc_user_put(fl); fastrpc_channel_ctx_put(cctx); } =20 @@ -628,6 +653,8 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( =20 /* Released in fastrpc_context_put() */ fastrpc_channel_ctx_get(cctx); + /* Take a reference to user, released in fastrpc_context_free() */ + fastrpc_user_get(user); =20 ctx->sc =3D sc; ctx->retval =3D -1; @@ -658,6 +685,7 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( spin_lock(&user->lock); list_del(&ctx->node); spin_unlock(&user->lock); + fastrpc_user_put(user); fastrpc_channel_ctx_put(cctx); kfree(ctx->maps); kfree(ctx->olaps); @@ -1606,11 +1634,9 @@ static int fastrpc_device_release(struct inode *inod= e, struct file *file) } =20 fastrpc_session_free(cctx, fl->sctx); - fastrpc_channel_ctx_put(cctx); - - mutex_destroy(&fl->mutex); - kfree(fl); file->private_data =3D NULL; + /* Release the reference taken in fastrpc_device_open */ + fastrpc_user_put(fl); =20 return 0; } @@ -1654,6 +1680,7 @@ static int fastrpc_device_open(struct inode *inode, s= truct file *filp) spin_lock_irqsave(&cctx->lock, flags); list_add_tail(&fl->user, &cctx->users); spin_unlock_irqrestore(&cctx->lock, flags); + kref_init(&fl->refcount); =20 return 0; } --=20 2.34.1