| Message ID | 1690953032-17070-1-git-send-email-quic_ekangupt@quicinc.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v3] misc: fastrpc: Fix incorrect DMA mapping unmap request | expand |
On 02/08/2023 06:10, Ekansh Gupta wrote: > Scatterlist table is obtained during map create request and the same > table is used for DMA mapping unmap. In case there is any failure > while getting the sg_table, ERR_PTR is returned instead of sg_table. > > When the map is getting freed, there is only a non-NULL check of > sg_table which will also be true in case failure was returned instead > of sg_table. This would result in improper unmap request. Add proper > check before setting map table to avoid bad unmap request. > > Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") > Cc: stable <stable@kernel.org> > Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > --- > Changes in v2: > - Added fixes information to commit text > Changes in v3: > - Set map->table only if attachment for successful > > drivers/misc/fastrpc.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index 9666d28..de7c812 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, > { > struct fastrpc_session_ctx *sess = fl->sctx; > struct fastrpc_map *map = NULL; > + struct sg_table *table; > int err = 0; > > if (!fastrpc_map_lookup(fl, fd, ppmap, true)) > @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, > goto attach_err; > } > > - map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); > - if (IS_ERR(map->table)) { > - err = PTR_ERR(map->table); > + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL); Any reason why dma_buf_map_attachment_unlocked changed to dma_buf_map_attachment? --srini > + if (IS_ERR(table)) { > + err = PTR_ERR(table); > goto map_err; > } > + map->table = table; > > if (attr & FASTRPC_ATTR_SECUREMAP) { > map->phys = sg_phys(map->table->sgl);
On 8/2/2023 7:13 PM, Srinivas Kandagatla wrote: > > > On 02/08/2023 06:10, Ekansh Gupta wrote: >> Scatterlist table is obtained during map create request and the same >> table is used for DMA mapping unmap. In case there is any failure >> while getting the sg_table, ERR_PTR is returned instead of sg_table. >> >> When the map is getting freed, there is only a non-NULL check of >> sg_table which will also be true in case failure was returned instead >> of sg_table. This would result in improper unmap request. Add proper >> check before setting map table to avoid bad unmap request. >> >> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke >> method") >> Cc: stable <stable@kernel.org> >> Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> >> --- >> Changes in v2: >> - Added fixes information to commit text >> Changes in v3: >> - Set map->table only if attachment for successful >> >> drivers/misc/fastrpc.c | 8 +++++--- >> 1 file changed, 5 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c >> index 9666d28..de7c812 100644 >> --- a/drivers/misc/fastrpc.c >> +++ b/drivers/misc/fastrpc.c >> @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user >> *fl, int fd, >> { >> struct fastrpc_session_ctx *sess = fl->sctx; >> struct fastrpc_map *map = NULL; >> + struct sg_table *table; >> int err = 0; >> if (!fastrpc_map_lookup(fl, fd, ppmap, true)) >> @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct >> fastrpc_user *fl, int fd, >> goto attach_err; >> } >> - map->table = dma_buf_map_attachment_unlocked(map->attach, >> DMA_BIDIRECTIONAL); >> - if (IS_ERR(map->table)) { >> - err = PTR_ERR(map->table); >> + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL); > > Any reason why dma_buf_map_attachment_unlocked changed to > dma_buf_map_attachment? This is a mistake from my end. My local workspace had older version due to which the function also got reverted. I will fix this in new patch. Apologies for the confusion. > > --srini >> + if (IS_ERR(table)) { >> + err = PTR_ERR(table); >> goto map_err; >> } >> + map->table = table; >> if (attr & FASTRPC_ATTR_SECUREMAP) { >> map->phys = sg_phys(map->table->sgl);
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 9666d28..de7c812 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; + struct sg_table *table; int err = 0; if (!fastrpc_map_lookup(fl, fd, ppmap, true)) @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, goto attach_err; } - map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); - if (IS_ERR(map->table)) { - err = PTR_ERR(map->table); + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL); + if (IS_ERR(table)) { + err = PTR_ERR(table); goto map_err; } + map->table = table; if (attr & FASTRPC_ATTR_SECUREMAP) { map->phys = sg_phys(map->table->sgl);
Scatterlist table is obtained during map create request and the same table is used for DMA mapping unmap. In case there is any failure while getting the sg_table, ERR_PTR is returned instead of sg_table. When the map is getting freed, there is only a non-NULL check of sg_table which will also be true in case failure was returned instead of sg_table. This would result in improper unmap request. Add proper check before setting map table to avoid bad unmap request. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable <stable@kernel.org> Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> --- Changes in v2: - Added fixes information to commit text Changes in v3: - Set map->table only if attachment for successful drivers/misc/fastrpc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)