From nobody Wed Jun 17 07:22:58 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28DF737EFFB for ; Mon, 27 Apr 2026 07:40:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777275630; cv=none; b=TJJlWr75E9klJPCYyKpm7+eBQeYxovYlLEdSWfmO3F94gxFU6aTZOj+xBrK04QwL4CXK0TCzSJqHFJfn8DT/u9GAz0QrcgShOghUAw8zkzZxCNU5yAl2mCNeUZUjFkuo6W1jOzF33WGbj6jn0rdlI7O9mjGt6LFO0qMXDpdLKD0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777275630; c=relaxed/simple; bh=lxZWDu7rzbJGODTOK7xHjQUvMZ26quwk0m7D+CJXjRU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=KPH8F4RgHEQVb7xraw4VIcGJ6Khw2x030rQmeIK4eoAuLpxare7UMhE9+f/6Ec9ZqXWWEahqJwU7spd76rWYJn1GLJxLf0PhTyyqFi8OnInLv7VVSa/nworVFEhWJceVX9pEFl8pHFoEB16I5bsVHsq9Vum6DANV3FETjzKFULg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=URCg0Egv; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=MrwaQBR3; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="URCg0Egv"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="MrwaQBR3" Received: from pps.filterd (m0279872.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63R2jSmp2884182 for ; Mon, 27 Apr 2026 07:40:28 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=JJOCYwwAvREjXQRgt0yQOK UxC5jJOFcFIqJRhmihN14=; b=URCg0EgvvJIjCLfwA8X9LCZvZ8DXFGb+7c/MUb FqGIcWcDAOLVWzdtCibRbRipB2awUz04oLZQxusR7v03NUAoM969pbWztGsS3gaM KTw2KW6qYZQZjDlZNzKq3ft0MVGTd0Xh27+M5JeEkcAurzPahDqYAYNzXiGv9Pr/ Wq3WvxXRDAYLzWA02mZ3A83XdbnqrTMQmV7RmHUvRVlwY35CMWg0NRrwROx0Ps2t 6AF0UHHv9ovvI4yzQdXZ/9XgVZ1zacg+x/20oVvyrcHf27BfVcsBXoiZUDGeiY0B c8RFDWjHBbcoBGN3oPolc0/JrJ5xw3vehyVRBxCqZwwdjHjA== Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4dsya00v79-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Mon, 27 Apr 2026 07:40:27 +0000 (GMT) Received: by mail-pl1-f200.google.com with SMTP id d9443c01a7336-2b7aba0af02so38661285ad.2 for ; Mon, 27 Apr 2026 00:40:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1777275627; x=1777880427; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JJOCYwwAvREjXQRgt0yQOKUxC5jJOFcFIqJRhmihN14=; b=MrwaQBR3z09XBDY/R9021XEzJkcT/IE/tYzLTUwyFUbJacuT5sv0IosoEklbTwesrv SK4lDLpbAB7NHr56gaY/6IbV5dwIHdFKsIPbkNmWoO9VAVM1pQAaVB/Z7tfArwELTpo1 bhDKuIIUJp3wXgcuQYnVu2pzLLWB8NGtmkIDzOFooaE9hzjibn2yft8V4OsLWKG92dWv 4Yht7R/aQsnnDT2VqXWTEoTU2Ffq6UvPn0dVnYww1+klx+Kjc0B5cF/GY9MavEB+U+Xr tcpJ+RuSojNBq3blm2vEcjDOIEkWcX5i8oNADh9NdVP3gae8U7kaXTYGJg4UP9GDEzPy 5q/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777275627; x=1777880427; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JJOCYwwAvREjXQRgt0yQOKUxC5jJOFcFIqJRhmihN14=; b=mrIDPpIMV/s3v8PLUu08/m4ag7OJimDFa7fjmMgTpIcI6ChiaWZkEMw7Olycot1sRN K6uR4prnFDIGNTA7BERtkaU/unbn1XGq76ULECYhSanjXZDMj2YkVfEgRvof+wGiX6Ma kDlnwqPzs3cv4++rQ9OEKOPu0lDcG1jAmLik2yPYtL6JgX+63L7mteSEL1Ae1QtiEZQi zX2mLotbwzNY0VQwYS0wt3L2+Rx5omkDLe7ONPQ1kZ2BJmzMVebyJXcRmKrQ/6WZo5Dm C6JPEQ8YMC8FraFOepTxOOO9cNclc/K3rkjKf7r6OeNrkgdBTPBdp/9foSO8YOTBksaF jzEw== X-Forwarded-Encrypted: i=1; AFNElJ/CZe/TfLp0DTOIvxqvvju8l620EFgW3gWqPCP887vN3fhs9VHb4rjiOogT80I4j6JjHkVotPeK/80FR4o=@vger.kernel.org X-Gm-Message-State: AOJu0YyT6W2bPJtJ4KylcuXZyGB4H0Xc+hH4tqSvwtZgwecQvFxYW3ux 6U3oKVpNqbxRdKpPKg4pv9ayG146lI6WjF8ZmZZMEhlRmhtcY/OiTPSvKZycpJwQjHuyf44oO1Y uKfIwP6cZdz3wLmYWZzwZTM7rniUow5pSKJS1wrcIBtWZnQLTJj8soC5oiWlosn1Wdsk= X-Gm-Gg: AeBDiet/NEVnqB0q50nOKDB3+/zuujK942EanA2hh4jvnUsnYW1dywFHJ3Q+gsIF+TL 2Y/38hXUZ4nr9X+ZjGoxeO8G/CTZW3CMYi8C6Mh47ASmcZ9xSWYCEEdWiz/7W4lwP5YBpM9A7JY ucMB33XQQ6aJj5AC4bQV7MFTXe+OnrxCaygGIfNF2Ezl0BpPypfj3XwQS2Xi796ztYwA6Qahn4+ pbl85Yk446EI/hCdor98ahUrqdJxxUXNw4ouAENB6sLODgBC/S0ew9WuYgv9eg7LG977A+gkMhG RTr4tDxk2K9u5t8cczXt8UBx/B1ro0tLRXgOjnAqq15szfsl1jp3l3aG+TvNFF+B0WBJADoAihu 6ixM+njoPehtF1QTDUHxQ8pxbSZ4Bsb4J93ANH44MoWSmBwed3OYnQdg= X-Received: by 2002:a17:902:fb03:b0:2b4:5f19:1d46 with SMTP id d9443c01a7336-2b5f9f3c5efmr297616275ad.19.1777275626935; Mon, 27 Apr 2026 00:40:26 -0700 (PDT) X-Received: by 2002:a17:902:fb03:b0:2b4:5f19:1d46 with SMTP id d9443c01a7336-2b5f9f3c5efmr297616005ad.19.1777275626349; Mon, 27 Apr 2026 00:40:26 -0700 (PDT) Received: from hu-anane-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa2f129sm277501945ad.29.2026.04.27.00.40.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 00:40:26 -0700 (PDT) From: Anandu Krishnan E To: srini@kernel.org Cc: linux-arm-msm@vger.kernel.org, gregkh@linuxfoundation.org, quic_bkumar@quicinc.com, linux-kernel@vger.kernel.org, quic_chennak@quicinc.com, dri-devel@lists.freedesktop.org, arnd@arndb.de, ekansh.gupta@oss.qualcomm.com, stable@kernel.org Subject: [PATCH v2] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Date: Mon, 27 Apr 2026 13:10:21 +0530 Message-Id: <20260427074021.3774769-1-anandu.e@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Proofpoint-GUID: PxSSSq7Ug0TI0DZnnJ13PsSw3PDbbcia X-Proofpoint-ORIG-GUID: PxSSSq7Ug0TI0DZnnJ13PsSw3PDbbcia X-Authority-Analysis: v=2.4 cv=DZEnbPtW c=1 sm=1 tr=0 ts=69ef12eb cx=c_pps a=IZJwPbhc+fLeJZngyXXI0A==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=yx91gb_oNiZeI1HMLzn7:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=8KoG9AtTWN8LJ-d-xwUA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=uG9DUKGECoFWVXl0Dc02:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI3MDA4MCBTYWx0ZWRfX/WPpIw0sQ4oD +KVfBtFfb4ol/lTnSiwQv4/SDPXhZ0llRzocvoXLj8VYTihQWR6Y/NYIBFELlTFFyyybNgr4CU9 Zza1o0kHiQWZ2b0KYZ/N0JLYEosqxruDW7v/e9K/YoylJP3Wmb7WVWgCz5tzNzs/AHB9uTORZWQ OBaO+bPeVAYH+lt5OhodU06YyVJQIQTL+51CE+VDA4qqMGNnANunJbJio5mCuqTr8xcDicPmBCm wNMYKfNG7h8iafUl+W/O9eLPIZ8OQXRmb0aKk4xKMuLAOGwZ+2QcDPAAoHuR5yyBCz3pciGo/ec 6L5Df2n/O8T4bnwmOKr+HjwocgdnFziY+g5GVM3n3lBTyrtYYmVEokqJdMlbOpjMwjYf7M+ffwq ewaMJpsdZkLN78VMMk3NEwBwMpN51+oNrnNCdmYy01T6XTSGnCazajGHq/s7VHlgtGqV/f+TYw8 3YQxwSP1WNc386sBfeg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-27_02,2026-04-21_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 phishscore=0 spamscore=0 adultscore=0 bulkscore=0 lowpriorityscore=0 priorityscore=1501 malwarescore=0 impostorscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604270080 There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure =E2=80=94 freeing pending contexts, maps, mmaps, and the channel context reference =E2=80=94 into the kref release callback fastrpc_user_fre= e(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes. Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") Cc: stable@kernel.org Signed-off-by: Anandu Krishnan E --- Changes in v2: - Rewrote commit message to establish the problem first per review feedback; identified all three UAF dereference sites explicitly - Moved resource cleanup (pending contexts, maps, mmaps) into fastrpc_user_free() so teardown is consolidated in the kref release callback - Link to v1: https://lore.kernel.org/all/20260226151121.818852-1-anandu.e@= oss.qualcomm.com/ drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++------------- 1 file changed, 53 insertions(+), 22 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1080f9acf70a..7afbd470c9fd 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -310,6 +310,8 @@ struct fastrpc_user { spinlock_t lock; /* lock for allocations */ struct mutex mutex; + /* Reference count */ + struct kref refcount; }; =20 /* Extract SMMU PA from consolidated IOVA */ @@ -497,15 +499,57 @@ static void fastrpc_channel_ctx_put(struct fastrpc_ch= annel_ctx *cctx) kref_put(&cctx->refcount, fastrpc_channel_ctx_free); } =20 +static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx); + +static void fastrpc_user_free(struct kref *ref) +{ + struct fastrpc_user *fl =3D container_of(ref, struct fastrpc_user, refcou= nt); + struct fastrpc_invoke_ctx *ctx, *n; + struct fastrpc_map *map, *m; + struct fastrpc_buf *buf, *b; + + if (fl->init_mem) + fastrpc_buf_free(fl->init_mem); + + list_for_each_entry_safe(ctx, n, &fl->pending, node) { + list_del(&ctx->node); + fastrpc_context_put(ctx); + } + + list_for_each_entry_safe(map, m, &fl->maps, node) + fastrpc_map_put(map); + + list_for_each_entry_safe(buf, b, &fl->mmaps, node) { + list_del(&buf->node); + fastrpc_buf_free(buf); + } + + fastrpc_channel_ctx_put(fl->cctx); + mutex_destroy(&fl->mutex); + kfree(fl); +} + +static void fastrpc_user_get(struct fastrpc_user *fl) +{ + kref_get(&fl->refcount); +} + +static void fastrpc_user_put(struct fastrpc_user *fl) +{ + kref_put(&fl->refcount, fastrpc_user_free); +} + static void fastrpc_context_free(struct kref *ref) { struct fastrpc_invoke_ctx *ctx; struct fastrpc_channel_ctx *cctx; + struct fastrpc_user *fl; unsigned long flags; int i; =20 ctx =3D container_of(ref, struct fastrpc_invoke_ctx, refcount); cctx =3D ctx->cctx; + fl =3D ctx->fl; =20 for (i =3D 0; i < ctx->nbufs; i++) fastrpc_map_put(ctx->maps[i]); @@ -522,6 +566,8 @@ static void fastrpc_context_free(struct kref *ref) kfree(ctx); =20 fastrpc_channel_ctx_put(cctx); + /* Release the reference taken in fastrpc_context_alloc() */ + fastrpc_user_put(fl); } =20 static void fastrpc_context_get(struct fastrpc_invoke_ctx *ctx) @@ -628,6 +674,8 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( =20 /* Released in fastrpc_context_put() */ fastrpc_channel_ctx_get(cctx); + /* Take a reference to user, released in fastrpc_context_free() */ + fastrpc_user_get(user); =20 ctx->sc =3D sc; ctx->retval =3D -1; @@ -659,6 +707,7 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( list_del(&ctx->node); spin_unlock(&user->lock); fastrpc_channel_ctx_put(cctx); + fastrpc_user_put(user); kfree(ctx->maps); kfree(ctx->olaps); kfree(ctx); @@ -1579,9 +1628,6 @@ static int fastrpc_device_release(struct inode *inode= , struct file *file) { struct fastrpc_user *fl =3D (struct fastrpc_user *)file->private_data; struct fastrpc_channel_ctx *cctx =3D fl->cctx; - struct fastrpc_invoke_ctx *ctx, *n; - struct fastrpc_map *map, *m; - struct fastrpc_buf *buf, *b; unsigned long flags; =20 fastrpc_release_current_dsp_process(fl); @@ -1590,29 +1636,13 @@ static int fastrpc_device_release(struct inode *ino= de, struct file *file) list_del(&fl->user); spin_unlock_irqrestore(&cctx->lock, flags); =20 - if (fl->init_mem) - fastrpc_buf_free(fl->init_mem); - - list_for_each_entry_safe(ctx, n, &fl->pending, node) { - list_del(&ctx->node); - fastrpc_context_put(ctx); - } - - list_for_each_entry_safe(map, m, &fl->maps, node) - fastrpc_map_put(map); - - list_for_each_entry_safe(buf, b, &fl->mmaps, node) { - list_del(&buf->node); - fastrpc_buf_free(buf); - } - fastrpc_session_free(cctx, fl->sctx); - fastrpc_channel_ctx_put(cctx); =20 - mutex_destroy(&fl->mutex); - kfree(fl); file->private_data =3D NULL; =20 + /* Release the reference taken in fastrpc_device_open */ + fastrpc_user_put(fl); + return 0; } =20 @@ -1655,6 +1685,7 @@ static int fastrpc_device_open(struct inode *inode, s= truct file *filp) spin_lock_irqsave(&cctx->lock, flags); list_add_tail(&fl->user, &cctx->users); spin_unlock_irqrestore(&cctx->lock, flags); + kref_init(&fl->refcount); =20 return 0; } --=20 2.34.1