2023-08-02 15:07:57

by Ekansh Gupta

Subject: [PATCH v4] misc: fastrpc: Fix incorrect DMA mapping unmap request

Scatterlist table is obtained during map create request and the same
table is used for DMA mapping unmap. In case there is any failure
while getting the sg_table, ERR_PTR is returned instead of sg_table.

When the map is getting freed, there is only a non-NULL check of
sg_table which will also be true in case failure was returned instead
of sg_table. This would result in improper unmap request. Add proper
check before setting map table to avoid bad unmap request.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <[email protected]>
Signed-off-by: Ekansh Gupta <[email protected]>
---
Changes in v2:
- Added fixes information to commit text
Changes in v3:
- Set map->table only if attachment for successful
Changes in v4:
- Use correct dma buf attachment function

drivers/misc/fastrpc.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 9666d28..b2c62b2 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
{
struct fastrpc_session_ctx *sess = fl->sctx;
struct fastrpc_map *map = NULL;
+ struct sg_table *table;
int err = 0;

if (!fastrpc_map_lookup(fl, fd, ppmap, true))
@@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
goto attach_err;
}

- map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
- if (IS_ERR(map->table)) {
- err = PTR_ERR(map->table);
+ table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
+ if (IS_ERR(table)) {
+ err = PTR_ERR(table);
goto map_err;
}
+ map->table = table;

if (attr & FASTRPC_ATTR_SECUREMAP) {
map->phys = sg_phys(map->table->sgl);
--
2.7.4

2023-08-02 15:40:38

by Srinivas Kandagatla

Subject: Re: [PATCH v4] misc: fastrpc: Fix incorrect DMA mapping unmap request

On Wed, 02 Aug 2023 19:27:36 +0530, Ekansh Gupta wrote:
> Scatterlist table is obtained during map create request and the same
> table is used for DMA mapping unmap. In case there is any failure
> while getting the sg_table, ERR_PTR is returned instead of sg_table.
>
> When the map is getting freed, there is only a non-NULL check of
> sg_table which will also be true in case failure was returned instead
> of sg_table. This would result in improper unmap request. Add proper
> check before setting map table to avoid bad unmap request.
>
> [...]

Applied, thanks!

[1/1] misc: fastrpc: Fix incorrect DMA mapping unmap request
commit: 3042d44f7e49c74f2928b4780c66564632449bab

Best regards,
--
Srinivas Kandagatla <[email protected]>