Scatterlist table is obtained during map create request and the same
table is used for DMA mapping unmap. In case there is any failure
while getting the sg_table, ERR_PTR is returned instead of sg_table.
When the map is getting freed, there is only a non-NULL check of
sg_table which will also be true in case failure was returned instead
of sg_table. This would result in improper unmap request. Add proper
check before setting map table to avoid bad unmap request.
Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <[email protected]>
Signed-off-by: Ekansh Gupta <[email protected]>
---
Changes in v2:
- Added fixes information to commit text
Changes in v3:
- Set map->table only if attachment for successful
drivers/misc/fastrpc.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 9666d28..de7c812 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
{
struct fastrpc_session_ctx *sess = fl->sctx;
struct fastrpc_map *map = NULL;
+ struct sg_table *table;
int err = 0;
if (!fastrpc_map_lookup(fl, fd, ppmap, true))
@@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
goto attach_err;
}
- map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
- if (IS_ERR(map->table)) {
- err = PTR_ERR(map->table);
+ table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL);
+ if (IS_ERR(table)) {
+ err = PTR_ERR(table);
goto map_err;
}
+ map->table = table;
if (attr & FASTRPC_ATTR_SECUREMAP) {
map->phys = sg_phys(map->table->sgl);
--
2.7.4
On 02/08/2023 06:10, Ekansh Gupta wrote:
> Scatterlist table is obtained during map create request and the same
> table is used for DMA mapping unmap. In case there is any failure
> while getting the sg_table, ERR_PTR is returned instead of sg_table.
>
> When the map is getting freed, there is only a non-NULL check of
> sg_table which will also be true in case failure was returned instead
> of sg_table. This would result in improper unmap request. Add proper
> check before setting map table to avoid bad unmap request.
>
> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
> Cc: stable <[email protected]>
> Signed-off-by: Ekansh Gupta <[email protected]>
> ---
> Changes in v2:
> - Added fixes information to commit text
> Changes in v3:
> - Set map->table only if attachment for successful
>
> drivers/misc/fastrpc.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index 9666d28..de7c812 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
> {
> struct fastrpc_session_ctx *sess = fl->sctx;
> struct fastrpc_map *map = NULL;
> + struct sg_table *table;
> int err = 0;
>
> if (!fastrpc_map_lookup(fl, fd, ppmap, true))
> @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
> goto attach_err;
> }
>
> - map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
> - if (IS_ERR(map->table)) {
> - err = PTR_ERR(map->table);
> + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL);
Any reason why dma_buf_map_attachment_unlocked changed to
dma_buf_map_attachment?
--srini
> + if (IS_ERR(table)) {
> + err = PTR_ERR(table);
> goto map_err;
> }
> + map->table = table;
>
> if (attr & FASTRPC_ATTR_SECUREMAP) {
> map->phys = sg_phys(map->table->sgl);
On 8/2/2023 7:13 PM, Srinivas Kandagatla wrote:
>
>
> On 02/08/2023 06:10, Ekansh Gupta wrote:
>> Scatterlist table is obtained during map create request and the same
>> table is used for DMA mapping unmap. In case there is any failure
>> while getting the sg_table, ERR_PTR is returned instead of sg_table.
>>
>> When the map is getting freed, there is only a non-NULL check of
>> sg_table which will also be true in case failure was returned instead
>> of sg_table. This would result in improper unmap request. Add proper
>> check before setting map table to avoid bad unmap request.
>>
>> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke
>> method")
>> Cc: stable <[email protected]>
>> Signed-off-by: Ekansh Gupta <[email protected]>
>> ---
>> Changes in v2:
>> - Added fixes information to commit text
>> Changes in v3:
>> - Set map->table only if attachment for successful
>>
>> drivers/misc/fastrpc.c | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
>> index 9666d28..de7c812 100644
>> --- a/drivers/misc/fastrpc.c
>> +++ b/drivers/misc/fastrpc.c
>> @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user
>> *fl, int fd,
>> {
>> struct fastrpc_session_ctx *sess = fl->sctx;
>> struct fastrpc_map *map = NULL;
>> + struct sg_table *table;
>> int err = 0;
>> if (!fastrpc_map_lookup(fl, fd, ppmap, true))
>> @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct
>> fastrpc_user *fl, int fd,
>> goto attach_err;
>> }
>> - map->table = dma_buf_map_attachment_unlocked(map->attach,
>> DMA_BIDIRECTIONAL);
>> - if (IS_ERR(map->table)) {
>> - err = PTR_ERR(map->table);
>> + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL);
>
> Any reason why dma_buf_map_attachment_unlocked changed to
> dma_buf_map_attachment?
This is a mistake from my end. My local workspace had older version due
to which the function also got reverted. I will fix this in new patch.
Apologies for the confusion.
>
> --srini
>> + if (IS_ERR(table)) {
>> + err = PTR_ERR(table);
>> goto map_err;
>> }
>> + map->table = table;
>> if (attr & FASTRPC_ATTR_SECUREMAP) {
>> map->phys = sg_phys(map->table->sgl);