Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp578682iob; Wed, 18 May 2022 08:25:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzr3JhiKsRPRDbBblQbBBNMTb8VoibL0IAOdGD0VNey68ELqBbt289CzGZrJyUxPZPck6NM X-Received: by 2002:a63:fd51:0:b0:3c1:977e:1fed with SMTP id m17-20020a63fd51000000b003c1977e1fedmr45625pgj.246.1652887534581; Wed, 18 May 2022 08:25:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652887534; cv=none; d=google.com; s=arc-20160816; b=WvqnLx6YH7+0WtDoMhTEmg51ELaif4wJnqb487LlAV1NVKkWcdiPxJAsFNMMDWtvn8 j043VNOyeMEhl/yDsIjlgPmEYboDr3hp5Nk6t8O+UAxSpz6E6DRfFaYLOFtXuu46ETU+ ulHAZBXKkQ/Cgx9LyJQizQvUxDavX/v9rpy8bYpD7NKna3y2VFDcQuzRj5L3NB2ob/WW TL86XbWM82XXlisZFg9p5ktDrAZM2nTkhdSJmw9kYldyFcStuPSHVRllVSWDYRHAgqw7 t2pmil1zQcfip5oXsiquyB/aFulmeocL+CQhqp1jFnhSsh57lh3Vuw36sGpFdo29yyCN ZswQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=iwFDpDzsgkZxnKVg9aJTc5E9Q138Iv8GSg56Yqm0AM4=; b=eweW6NT6+z7KbYQK4BBDDfDRQFP3k0lKPUOJyEnNXUm2+KhHd9jV4qCDEnxX2a2rAM iGxeSFb68p7s/RQWX/ngoKNEFejiMjJ25VuLx7PnSWcQXIJvDaKAcZgHjoENJ3c7lRfA TAmIU9qPzyspp4tM+d1jMuD+tziIR1txKTEp9O2jK6OSQ9GokTzpqtqXdQX16x0zHjNL 8WZtxAYj5XNuQcMPPhTwSNGwg2b0Ep02Kx3rvCZFKy3FsvrG4q18AmKR5xSO2C7HzOfT PG4T4359fkcUERZ8DVAsvq313zrQGymGQL6VLJDJlpJucLWdqwf++wUDilHmD5l/CH6J rCWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cJPHEbef; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id y18-20020a634b12000000b003c6dde345a4si2851112pga.297.2022.05.18.08.25.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 May 2022 08:25:34 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cJPHEbef; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 77B8319FF42; Wed, 18 May 2022 08:24:34 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239271AbiERPY2 (ORCPT + 99 others); Wed, 18 May 2022 11:24:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239273AbiERPYJ (ORCPT ); Wed, 18 May 2022 11:24:09 -0400 Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE78719C3A7 for ; Wed, 18 May 2022 08:24:07 -0700 (PDT) Received: by mail-wm1-x32e.google.com with SMTP id r6-20020a1c2b06000000b00396fee5ebc9so1242903wmr.1 for ; Wed, 18 May 2022 08:24:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=iwFDpDzsgkZxnKVg9aJTc5E9Q138Iv8GSg56Yqm0AM4=; b=cJPHEbefsOrS36AeKT5jTO5oHzqeCDUnv2YSZEO97zuos5lW1FIKIQg3jR6psxYH/Y iIXamqrwCBesaePVbnXKabA2SUTQlVsjMCnYunoQujOeo+BmKN4ydxzUGg1SuR0iz3rA LnsLEjPOsjWrOCVxVykoux8FWi4X9pFlLDMvlyEfp3iM2pg7XpxkjqM9Wx6UuK8+npN8 8Jr3vTAwtKwk0XLe8QVq2htYXMsXrGv7rWzz4unJsIx6HdVu8jDTMhl27UTK6zo9mkEr qi6xWf+b/7OqAWVEHtTQdfe2EjjJXitNxVqleo20j9m7KvPdEA4Ls7KrEgVW78ayvjto Cvuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=iwFDpDzsgkZxnKVg9aJTc5E9Q138Iv8GSg56Yqm0AM4=; b=Tm82LTv2N8rJnMFgi1z075Gnp/m8J6KfTGI5WYVYx80TFrKK2LKBYKO9xpkvYOc4A5 eWP+tioGSqsQaZXaLQW4qxU94i1wcMIBM6+2sJk/wmIRGuTvTljLHzkcaPXl0vargWoc EyB3Iy29c2P27mcvaR7RQSMJHTj6zMOcUw0PwQXKLWhS/WnmbJJVLEvlfhr2n9p4bVFv G0TcF2w9Oc2u1Bvv2pSrssWAEXsC1Lmc5etHdgUWsk+8kFXY9FdN8IEDI3YMu/mp/7hq PCNbPMK+0+dCDOqhsA7sGPjFCXyX0ZH31nJL9RS2n6yq9Gw1sX4kx1RZLHjGYJpaIOOe TyJA== X-Gm-Message-State: AOAM530kjMJIRT3YDyDDFDySrZ0NXHmhwCDza1FyfRS26klhS/Qtg34K 9SxnixlQYcO25P5JpRdSXduu+N+G+dwZq1By X-Received: by 2002:a7b:c445:0:b0:397:28d3:d9cf with SMTP id l5-20020a7bc445000000b0039728d3d9cfmr452230wmi.116.1652887445896; Wed, 18 May 2022 08:24:05 -0700 (PDT) Received: from srini-hackbox.lan (cpc90716-aztw32-2-0-cust825.18-1.cable.virginm.net. [86.26.103.58]) by smtp.gmail.com with ESMTPSA id v9-20020a056000144900b0020c5253d8d8sm2975319wrx.36.2022.05.18.08.24.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 May 2022 08:24:05 -0700 (PDT) From: Srinivas Kandagatla To: gregkh@linuxfoundation.org Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Srinivas Kandagatla , stable@vger.kernel.org, Jan Jablonsky Subject: [PATCH] misc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl Date: Wed, 18 May 2022 16:23:53 +0100 Message-Id: <20220518152353.13058-1-srinivas.kandagatla@linaro.org> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is another instance of incorrect use of list iterator and checking it for NULL. The list iterator value 'map' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty (in this case, the check 'if (!map) {' will always be false and never exit as expected). To fix the bug, use a new variable 'iter' as the list iterator, while use the original variable 'map' as a dedicated pointer to point to the found element. Without this patch, Kernel crashes with below trace: Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000ffff7fb03750 ... Call trace: fastrpc_map_create+0x70/0x290 [fastrpc] fastrpc_req_mem_map+0xf0/0x2dc [fastrpc] fastrpc_device_ioctl+0x138/0xc60 [fastrpc] __arm64_sys_ioctl+0xa8/0xec invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xd4/0xfc do_el0_svc+0x28/0x90 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x18c/0x190 Code: 14000016 f94000a5 eb05029f 54000260 (b94018a6) ---[ end trace 0000000000000000 ]--- Cc: stable@vger.kernel.org Fixes: 5c1b97c7d7b7 ("misc: fastrpc: add support for FASTRPC_IOCTL_MEM_MAP/UNMAP") Reported-by: Jan Jablonsky Signed-off-by: Srinivas Kandagatla --- drivers/misc/fastrpc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 4bdc8e0df657..93ebd174d848 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1748,17 +1748,18 @@ static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp) static int fastrpc_req_mem_unmap_impl(struct fastrpc_user *fl, struct fastrpc_mem_unmap *req) { struct fastrpc_invoke_args args[1] = { [0] = { 0 } }; - struct fastrpc_map *map = NULL, *m; + struct fastrpc_map *map = NULL, *iter, *m; struct fastrpc_mem_unmap_req_msg req_msg = { 0 }; int err = 0; u32 sc; struct device *dev = fl->sctx->dev; spin_lock(&fl->lock); - list_for_each_entry_safe(map, m, &fl->maps, node) { - if ((req->fd < 0 || map->fd == req->fd) && (map->raddr == req->vaddr)) + list_for_each_entry_safe(iter, m, &fl->maps, node) { + if ((req->fd < 0 || iter->fd == req->fd) && (iter->raddr == req->vaddr)) { + map = iter; break; - map = NULL; + } } spin_unlock(&fl->lock); -- 2.21.0