From nobody Wed Jun 17 04:06:23 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE9CC3CD8D3 for ; Tue, 28 Apr 2026 07:33:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777361624; cv=none; b=NVAmPZ9CKgHeQH85e7J/M4frTfM+fXcwa16O1Tqr1jBRjaTXOCcjTQr+wH0NAnCSUqC6Z18NvnAT+J9B+3txNcXpukOG6qInlN7KTmN/kal+XmadjO+G6IsQZxRZtpMdAfUU8GqXuzchOd8MyeTRmh/Cw14YdPJARtQCrjhbaDk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777361624; c=relaxed/simple; bh=py3uAG345p27Z2RDh4vo9/NsaRtABQwTr75ViNA3pYU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=a2vLETfEhDWvSDE0r/dYBXhyKm3Cb9hsVe2y2lVoSbuw6Xr/RjKfIowkAT05X45Up2yaNJSNQ5wvRweSYGPBguVul5aWA+nfTbodOhqHAlNIOtmIWt9s21TrlP4TwO9k0KbEwL6nny6sAz/agwWmjxQs0ulM5n/cfOHeVh7pcFY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=mqD6CWrE; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=dWqJBAD1; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="mqD6CWrE"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="dWqJBAD1" Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63S3Bi6K1237549 for ; Tue, 28 Apr 2026 07:33:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=Qpru+qluX0+pH7N4kcbo// xSN5otJGrfjPHoGqLaVww=; b=mqD6CWrEpY6tzdMiEEqMTCDvr58HXGsAEDNCQo SWThCm3lYTjipSsb9RSbjpGSCjxGuamAizx8vLx/xuzhjgc8gMWKOjYUT0XRoYBp veGkzq1HaZ2ScxOmHp1T6DIyOXtIsPxqJ7Wq6ZA+CR/ho/g02snXz7Wt1RMNb1nG VIyM8CsQ9uJqeob1mJu57h9c/U+nENviUSWCM9LIgG7A7ykhTCBT+A3qnKbVkXi0 x9mctghCSIB9klq4zGEvKGqU4Q5hZ0fBZXnyE+1fkji/E4Hs7EvSZLQZdkkFZ3jx /+tsArF+V6pYGPdopq5DTXVZJZnWfDBCf3y344wk6N4HAStw== Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4dt6n4m5mc-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 28 Apr 2026 07:33:41 +0000 (GMT) Received: by mail-pg1-f200.google.com with SMTP id 41be03b00d2f7-c70dd30025fso14102998a12.2 for ; Tue, 28 Apr 2026 00:33:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1777361620; x=1777966420; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Qpru+qluX0+pH7N4kcbo//xSN5otJGrfjPHoGqLaVww=; b=dWqJBAD17+1U54jKFA0wDnY/DWBo6SJcHU9k1i1X/HrjqQL9d3s6LYf5SpBORsSXRt q22151B7685cRdHhEKJ7RpJR8ef9CNbup76P9RtURzp8eyDJeZNTzbHvy5KEyjF6wZLT /Jo5nj/2iHp8272hkOirI4F3+ApdiZsUHbftSEDddLsP5Yw4EQqa62/q1HFxRpJRcnFs CkKf52chdX2XSsARArRSs0fzQke2XXgXg7wxdd1dNW0KJ5FAwCAYnBZQdp2xCVZuPvZT wb+gtTv4CRa1S5nGRA+P/NbVfXYnvzF32eAZzQiklMQENnEiju/9noERHmHUR7o4hiiW 41TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777361620; x=1777966420; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Qpru+qluX0+pH7N4kcbo//xSN5otJGrfjPHoGqLaVww=; b=mrt0TpAuTwNMv3eAuYfw8f92R2T0hBu048NHcbKFEOdve9SZE3OnzmBZ+Gb+VcMYOo FYi7bre6x9OYPl41US3a7ZlLRTZ/cagVhZPt/wqViZ1Gu/ROEXMMKX7XLDueoM5W44Fl Pk/tllrVqXFmIXiK16+HIB5swHqhHj5cCR7k/PDJLT47cXiZVB+sqAxTcgytcs4NwCFq 1UZUcY5dbfy7QZ3YF4TqGMNDfgRNwzg7+RKvwF/qyiydoQffr+dpteY8zFpp0TLiHv/Q jaYXpXgR+4zHbOMrkpjGnVDiverJuuyjzI8jLiCbwdFqyCJu+F4EdW5A8W8kCX72AQJo exog== X-Forwarded-Encrypted: i=1; AFNElJ+67C3guO2Jn1CiDK/TR2uwWEP5mI3zCUJmWLUz/3oNbaxul2LNz9iUCuvW4knQcI3L99BYDQK0BQ0P/3M=@vger.kernel.org X-Gm-Message-State: AOJu0YzPcRo7cqhyMC0v5ASuRIpf4KjTxILf5RDTF9IduA6MIfvA4o1w MspMj/UENIi/HtJQ/b0qsYX25LKrIElir/oVWfLVamf5Jru2kSSOiBOIWb8xKi5QphkzuVG5Q3w M0IcZD6rsTCCMLyEFDFlB5cza2p0WzxnkZ2tkrU8XtG1KYencsTYQHtKGYXTPKklfo0g= X-Gm-Gg: AeBDieu+9kAGfrGC+MpWAhKTE1YTcE0kDr0hHJM1nmQ/xrZK7c4gPzNq1dP8sWn9clG aJLWmbZmWjOH3lW9qvKqaXkeWD9MOMhXtKC+YrRWDfeFEiie4GCXZ12BZWI6i3iGXt1sMHWj2S3 K21CRGs8M6kiinVBgofzlsDXxf/lsEEn8vFYyzE20hrEWVbKT1sUBUY+Qu+tbltm8d2pI/WQdT/ tSU4ffDHliYSiYigic7tHMPyMTKnCUxI+InDJWp3ZCpA23Xcl5qUC1Jisvkbh5DNiCucNDEolPS H/Vcj/h5A0W5IDHUA7IyulIKZqxD8+xyinfH3gEP6orpp1Nmr25oyTTL4aKBuPAdB48DaxJl6io EWvUVcbkine1YcuoeCrdPLPk0NVc4DlW0FlJtGhPOljDKJoXGAIDkGpQ= X-Received: by 2002:a05:6300:86:b0:3a2:ecb8:56d8 with SMTP id adf61e73a8af0-3a39c2149e8mr2515436637.31.1777361620425; Tue, 28 Apr 2026 00:33:40 -0700 (PDT) X-Received: by 2002:a05:6300:86:b0:3a2:ecb8:56d8 with SMTP id adf61e73a8af0-3a39c2149e8mr2515403637.31.1777361619963; Tue, 28 Apr 2026 00:33:39 -0700 (PDT) Received: from hu-anane-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7fc33d4c60sm1508477a12.23.2026.04.28.00.33.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 00:33:39 -0700 (PDT) From: Anandu Krishnan E To: srini@kernel.org, linux-arm-msm@vger.kernel.org Cc: gregkh@linuxfoundation.org, quic_bkumar@quicinc.com, linux-kernel@vger.kernel.org, quic_chennak@quicinc.com, dri-devel@lists.freedesktop.org, arnd@arndb.de, ekansh.gupta@oss.qualcomm.com, stable@kernel.org Subject: [PATCH v3] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Date: Tue, 28 Apr 2026 13:03:34 +0530 Message-Id: <20260428073334.934358-1-anandu.e@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: Nw67ZA6u0-sty8TF4_FJRTQsSMk5cwSN X-Authority-Analysis: v=2.4 cv=Xba5Co55 c=1 sm=1 tr=0 ts=69f062d5 cx=c_pps a=oF/VQ+ItUULfLr/lQ2/icg==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=gowsoOTTUOVcmtlkKump:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=-d8OuwpfmgTKOJIC24EA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=3WC7DwWrALyhR5TkjVHa:22 X-Proofpoint-GUID: Nw67ZA6u0-sty8TF4_FJRTQsSMk5cwSN X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI4MDA2OSBTYWx0ZWRfX7UXSwzWBEdVV uWPYe0phsMM1q60jcFHrGZRlX4fVwy2yBFkHyUKLUN29qizzaZeEyknEYhlv/GWLcP9bES06ISO EpcNFevoynObjRNd4fTU6WtUrms9sQx7jCiKouQiJlcoA281N7+La/QGWfM5+/xvjI6giWBphnY otEAqPJOrvOnA0mjMK7xE4KlP9Hqx8BY5HinaFi4m3Ty5hIdB1GyoWipqOg3BsBy4d6uVNT/Kn9 MPHqcEIJ+sDG0eBLM9EW6W6yWySthyN55r7/QvPF83P4M2HFfaeZ98Agbv77ijQtYiew0EPC3PK B/CWHDXLGk03SfsQbezqeYLQAOqIMagvBAFO5HsNnIbasHOsoIVwBb0JROA9SMGELQ5SQjryDod Lu415LN0/vfqN3qVj5zfeOksqDNaxHUv1HG8S5BNyBLcdoIbMLDc5JGPbwryAkhgzC9Gi+CQNDM CYtpweZWzVJ5njh0CSQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-28_01,2026-04-21_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 suspectscore=0 phishscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604280069 There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure =E2=80=94 freeing pending contexts, maps, mmaps, and the channel context reference =E2=80=94 into the kref release callback fastrpc_user_fre= e(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes. Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") Cc: stable@kernel.org Signed-off-by: Anandu Krishnan E --- Changes in v3: - Fixed fastrpc_user_put()/fastrpc_channel_ctx_put() call order in fastrpc_context_free() and the err_idr path of fastrpc_context_alloc(); the correct ordering from v1 was accidentally reversed in v2 - Link to v2: https://lore.kernel.org/all/20260427074021.3774769-1-anandu.e= @oss.qualcomm.com/ Changes in v2: - Rewrote commit message to establish the problem first per review feedback; identified all three UAF dereference sites explicitly - Moved resource cleanup (pending contexts, maps, mmaps) into fastrpc_user_free() so teardown is consolidated in the kref release callback - Link to v1: https://lore.kernel.org/all/20260226151121.818852-1-anandu.e@= oss.qualcomm.com/ drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++------------- 1 file changed, 53 insertions(+), 22 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1080f9acf70a..49f0058824f0 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -310,6 +310,8 @@ struct fastrpc_user { spinlock_t lock; /* lock for allocations */ struct mutex mutex; + /* Reference count */ + struct kref refcount; }; =20 /* Extract SMMU PA from consolidated IOVA */ @@ -497,15 +499,57 @@ static void fastrpc_channel_ctx_put(struct fastrpc_ch= annel_ctx *cctx) kref_put(&cctx->refcount, fastrpc_channel_ctx_free); } =20 +static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx); + +static void fastrpc_user_free(struct kref *ref) +{ + struct fastrpc_user *fl =3D container_of(ref, struct fastrpc_user, refcou= nt); + struct fastrpc_invoke_ctx *ctx, *n; + struct fastrpc_map *map, *m; + struct fastrpc_buf *buf, *b; + + if (fl->init_mem) + fastrpc_buf_free(fl->init_mem); + + list_for_each_entry_safe(ctx, n, &fl->pending, node) { + list_del(&ctx->node); + fastrpc_context_put(ctx); + } + + list_for_each_entry_safe(map, m, &fl->maps, node) + fastrpc_map_put(map); + + list_for_each_entry_safe(buf, b, &fl->mmaps, node) { + list_del(&buf->node); + fastrpc_buf_free(buf); + } + + fastrpc_channel_ctx_put(fl->cctx); + mutex_destroy(&fl->mutex); + kfree(fl); +} + +static void fastrpc_user_get(struct fastrpc_user *fl) +{ + kref_get(&fl->refcount); +} + +static void fastrpc_user_put(struct fastrpc_user *fl) +{ + kref_put(&fl->refcount, fastrpc_user_free); +} + static void fastrpc_context_free(struct kref *ref) { struct fastrpc_invoke_ctx *ctx; struct fastrpc_channel_ctx *cctx; + struct fastrpc_user *fl; unsigned long flags; int i; =20 ctx =3D container_of(ref, struct fastrpc_invoke_ctx, refcount); cctx =3D ctx->cctx; + fl =3D ctx->fl; =20 for (i =3D 0; i < ctx->nbufs; i++) fastrpc_map_put(ctx->maps[i]); @@ -521,6 +565,8 @@ static void fastrpc_context_free(struct kref *ref) kfree(ctx->olaps); kfree(ctx); =20 + /* Release the reference taken in fastrpc_context_alloc() */ + fastrpc_user_put(fl); fastrpc_channel_ctx_put(cctx); } =20 @@ -628,6 +674,8 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( =20 /* Released in fastrpc_context_put() */ fastrpc_channel_ctx_get(cctx); + /* Take a reference to user, released in fastrpc_context_free() */ + fastrpc_user_get(user); =20 ctx->sc =3D sc; ctx->retval =3D -1; @@ -658,6 +706,7 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( spin_lock(&user->lock); list_del(&ctx->node); spin_unlock(&user->lock); + fastrpc_user_put(user); fastrpc_channel_ctx_put(cctx); kfree(ctx->maps); kfree(ctx->olaps); @@ -1579,9 +1628,6 @@ static int fastrpc_device_release(struct inode *inode= , struct file *file) { struct fastrpc_user *fl =3D (struct fastrpc_user *)file->private_data; struct fastrpc_channel_ctx *cctx =3D fl->cctx; - struct fastrpc_invoke_ctx *ctx, *n; - struct fastrpc_map *map, *m; - struct fastrpc_buf *buf, *b; unsigned long flags; =20 fastrpc_release_current_dsp_process(fl); @@ -1590,29 +1636,13 @@ static int fastrpc_device_release(struct inode *ino= de, struct file *file) list_del(&fl->user); spin_unlock_irqrestore(&cctx->lock, flags); =20 - if (fl->init_mem) - fastrpc_buf_free(fl->init_mem); - - list_for_each_entry_safe(ctx, n, &fl->pending, node) { - list_del(&ctx->node); - fastrpc_context_put(ctx); - } - - list_for_each_entry_safe(map, m, &fl->maps, node) - fastrpc_map_put(map); - - list_for_each_entry_safe(buf, b, &fl->mmaps, node) { - list_del(&buf->node); - fastrpc_buf_free(buf); - } - fastrpc_session_free(cctx, fl->sctx); - fastrpc_channel_ctx_put(cctx); =20 - mutex_destroy(&fl->mutex); - kfree(fl); file->private_data =3D NULL; =20 + /* Release the reference taken in fastrpc_device_open */ + fastrpc_user_put(fl); + return 0; } =20 @@ -1655,6 +1685,7 @@ static int fastrpc_device_open(struct inode *inode, s= truct file *filp) spin_lock_irqsave(&cctx->lock, flags); list_add_tail(&fl->user, &cctx->users); spin_unlock_irqrestore(&cctx->lock, flags); + kref_init(&fl->refcount); =20 return 0; } --=20 2.34.1