Skip to content

Commit cd522d4

Browse files
ekanshibusgaud-quic
authored andcommitted
FROMLIST: misc: fastrpc: Remove buffer from list prior to unmap operation
fastrpc_req_munmap_impl() is called to unmap any buffer. The buffer is getting removed from the list after it is unmapped from DSP. This can create potential race conditions if any other thread removes the entry from list while unmap operation is ongoing. Remove the entry before calling unmap operation. Link: https://lore.kernel.org/all/20260409062617.1182-3-jianping.li@oss.qualcomm.com/ Fixes: 2419e55 ("misc: fastrpc: add mmap/unmap support") Cc: stable@kernel.org Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com> Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com> Signed-off-by: Jianping Li <jianping.li@oss.qualcomm.com>
1 parent 9dcad42 commit cd522d4

1 file changed

Lines changed: 15 additions & 6 deletions

File tree

drivers/misc/fastrpc.c

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2008,9 +2008,6 @@ static int fastrpc_req_munmap_impl(struct fastrpc_user *fl, struct fastrpc_buf *
20082008
&args[0]);
20092009
if (!err) {
20102010
dev_dbg(dev, "unmmap\tpt 0x%09lx OK\n", buf->raddr);
2011-
spin_lock(&fl->lock);
2012-
list_del(&buf->node);
2013-
spin_unlock(&fl->lock);
20142011
fastrpc_buf_free(buf);
20152012
} else {
20162013
dev_err(dev, "unmmap\tpt 0x%09lx ERROR\n", buf->raddr);
@@ -2024,13 +2021,15 @@ static int fastrpc_req_munmap(struct fastrpc_user *fl, char __user *argp)
20242021
struct fastrpc_buf *buf = NULL, *iter, *b;
20252022
struct fastrpc_req_munmap req;
20262023
struct device *dev = fl->sctx->dev;
2024+
int err;
20272025

20282026
if (copy_from_user(&req, argp, sizeof(req)))
20292027
return -EFAULT;
20302028

20312029
spin_lock(&fl->lock);
20322030
list_for_each_entry_safe(iter, b, &fl->mmaps, node) {
20332031
if ((iter->raddr == req.vaddrout) && (iter->size == req.size)) {
2032+
list_del(&iter->node);
20342033
buf = iter;
20352034
break;
20362035
}
@@ -2043,7 +2042,14 @@ static int fastrpc_req_munmap(struct fastrpc_user *fl, char __user *argp)
20432042
return -EINVAL;
20442043
}
20452044

2046-
return fastrpc_req_munmap_impl(fl, buf);
2045+
err = fastrpc_req_munmap_impl(fl, buf);
2046+
if (err) {
2047+
spin_lock(&fl->lock);
2048+
list_add_tail(&buf->node, &fl->mmaps);
2049+
spin_unlock(&fl->lock);
2050+
}
2051+
2052+
return err;
20472053
}
20482054

20492055
static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp)
@@ -2134,14 +2140,17 @@ static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp)
21342140

21352141
if (copy_to_user((void __user *)argp, &req, sizeof(req))) {
21362142
err = -EFAULT;
2137-
goto err_assign;
2143+
goto err_copy;
21382144
}
21392145

21402146
dev_dbg(dev, "mmap\t\tpt 0x%09lx OK [len 0x%08llx]\n",
21412147
buf->raddr, buf->size);
21422148

21432149
return 0;
2144-
2150+
err_copy:
2151+
spin_lock(&fl->lock);
2152+
list_del(&buf->node);
2153+
spin_unlock(&fl->lock);
21452154
err_assign:
21462155
fastrpc_req_munmap_impl(fl, buf);
21472156

0 commit comments

Comments
 (0)