| Message ID | 1690182571-7348-1-git-send-email-quic_ekangupt@quicinc.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1632745vqg;
Mon, 24 Jul 2023 00:41:11 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlEd0lcB5GFNqZqhT23O4EehkkmHYvyTHT4GH7jcjfXkKL2edimtEDhxhjqIpGj0SBwH6yl/
X-Received: by 2002:a17:906:59:b0:994:54e9:692c with SMTP id
25-20020a170906005900b0099454e9692cmr10403263ejg.1.1690184471039;
Mon, 24 Jul 2023 00:41:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690184471; cv=none;
d=google.com; s=arc-20160816;
b=pbfJVBkM4vAgyG9Ufm+GiTBJxox6lbeMcFcbUO2RhQeVA/11cXf2QRH0CnJ2TAwyvY
fqhTwr1QiyikhXejMx/4vQB4ZGP/gx5A3AxyAnNHSY0+FL4K5tg0//jdpLYtUY0MLrpT
TstIjzAKSD3AkJJOh40KgfPAXlXBEeIIUSf6nQUZUVRDGPISFWOHvl4aMddcwxggQevg
aA/3my+7H93vTg4dyaaxflm3HTEyt6VLC1fJEyv/6mDy6zeFmibM5k0e/86pgsoyRzvd
n0v4GOvG5f1SendF4FyshKjuPW1InamqVQZz6VbsM9FkQYHXflkUF+6zZu8UXWqnuQB9
CMNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from
:dkim-signature;
bh=8Pm/VR/5mlNa4De0nl8d+6zhJqVN5AlnV2B21swUrZA=;
fh=TnMRDi3L0sQlniDGL1hLZ2IIl7MhP13XMPTS/HLyrTU=;
b=FK79riREUJMQfgIwBdROEnJj1c2tYKAyEXNyoPUilQzdRyhDBen1qqS00mKupz9KDe
AxmxopWGxH8XLUdhxEkHrbaDBUi13xlQVi6i72C628oCYtrSNg8+c0gAboEl2wRG89Sh
lMH0Wutmlnh6dQfHkf08xa1awJ5wjaL+KTnMo6VuOzy3iM2ei9q072/4Mf78JuP0c4ET
8My4Rh+wryLkVCaerq4/YYVK7v4Oz8TkR4cekGDYfHw+j8LkXLr0fNg5BTWv4fXiKAG/
9XRdmMmno85d/sQrYTVp9/XsceGLtDzeJhzxbFo5xIAkEGN3IcAfFBzAwxCWNE+e9MB8
eOrA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=k92cUhmi;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
rs17-20020a170907037100b00992c0625ee8si5663661ejb.976.2023.07.24.00.40.46;
Mon, 24 Jul 2023 00:41:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=k92cUhmi;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230343AbjGXHJt (ORCPT <rfc822;kloczko.tomasz@gmail.com>
+ 99 others); Mon, 24 Jul 2023 03:09:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51604 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230099AbjGXHJr (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 24 Jul 2023 03:09:47 -0400
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
[205.220.168.131])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D60BD180;
Mon, 24 Jul 2023 00:09:45 -0700 (PDT)
Received: from pps.filterd (m0279863.ppops.net [127.0.0.1])
by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
36O60oWG012621;
Mon, 24 Jul 2023 07:09:40 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com;
h=from : to : cc :
subject : date : message-id : mime-version : content-type; s=qcppdkim1;
bh=8Pm/VR/5mlNa4De0nl8d+6zhJqVN5AlnV2B21swUrZA=;
b=k92cUhmiBygkvx4QNXe034Q/miu0//WXL1QvCtZrTIjV3HNsgqXN5JCDBxiiTXGH9CMV
HnuAgBuyrDkIZsdIe0/ycNF5pau06Rid7mZiVoLXxdy2BVhmXxR794eKjlB9u5uXeusd
fB4vYFn/Ly7UwDznSkqkDNRXeu54nEPz8PXPXyrAmZlyVTX3Kw4p/JvCZGxrKE7oRXQI
ljHXcdHPtm1pM1IsmIRXkEMM2Ej5smedXFyVDwvMGWAN9QXfP7yntvDfPW9Yq/SRPva+
kI0H7zOgwAul01KZ9Q83u3WsPqJYEEARmEiipXITaELJJqM7LKC3P+zLyiQSBntqU2RH NQ==
Received: from nalasppmta02.qualcomm.com (Global_NAT1.qualcomm.com
[129.46.96.20])
by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s07b8akrm-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 24 Jul 2023 07:09:40 +0000
Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com
[10.47.209.197])
by NALASPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id
36O79dMn006488
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 24 Jul 2023 07:09:39 GMT
Received: from ekangupt-linux.qualcomm.com (10.80.80.8) by
nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1118.30; Mon, 24 Jul 2023 00:09:36 -0700
From: Ekansh Gupta <quic_ekangupt@quicinc.com>
To: <srinivas.kandagatla@linaro.org>, <linux-arm-msm@vger.kernel.org>
CC: Ekansh Gupta <quic_ekangupt@quicinc.com>,
<ekangupt@qti.qualcomm.com>, <gregkh@linuxfoundation.org>,
<linux-kernel@vger.kernel.org>,
<fastrpc.upstream@qti.qualcomm.com>, stable <stable@kernel.org>
Subject: [PATCH v2] misc: fastrpc: Fix incorrect DMA mapping unmap request
Date: Mon, 24 Jul 2023 12:39:31 +0530
Message-ID: <1690182571-7348-1-git-send-email-quic_ekangupt@quicinc.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To
nalasex01b.na.qualcomm.com (10.47.209.197)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
signatures=585085
X-Proofpoint-GUID: fF3sXOt-28g5aqHbKrWvhp7f8YycG35q
X-Proofpoint-ORIG-GUID: fF3sXOt-28g5aqHbKrWvhp7f8YycG35q
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26
definitions=2023-07-24_05,2023-07-20_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
clxscore=1011 malwarescore=0
suspectscore=0 mlxscore=0 adultscore=0 mlxlogscore=999 impostorscore=0
spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 priorityscore=1501
classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000
definitions=main-2307240064
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1772285431033319856
X-GMAIL-MSGID: 1772286871855177139
|
| Series |
[v2] misc: fastrpc: Fix incorrect DMA mapping unmap request
|
|
Commit Message
Ekansh Gupta
July 24, 2023, 7:09 a.m. UTC
Scatterlist table is obtained during map create request and the same
table is used for DMA mapping unmap. In case there is any failure
while getting the sg_table, ERR_PTR is returned instead of sg_table.
When the map is getting freed, there is only a non-NULL check of
sg_table which will also be true in case failure was returned instead
of sg_table. This would result in improper unmap request. Add proper
check to avoid bad unmap request.
Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <stable@kernel.org>
Tested-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
---
Changes in v2:
- Added fixes information to commit text
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, Jul 24, 2023 at 12:39:31PM +0530, Ekansh Gupta wrote: > Scatterlist table is obtained during map create request and the same I'm guessing that this all happens in fastrpc_map_create() where: map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); fails, we jump to map_err, and then call fastrpc_map_put(map), which then ends up in the code below? > table is used for DMA mapping unmap. In case there is any failure > while getting the sg_table, ERR_PTR is returned instead of sg_table. The problem isn't that ERR_PTR() is being returned, the problem is that this is being assigned to map->table and you keep running. > > When the map is getting freed, there is only a non-NULL check of > sg_table which will also be true in case failure was returned instead > of sg_table. This would result in improper unmap request. Add proper > check to avoid bad unmap request. > > Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") > Cc: stable <stable@kernel.org> > Tested-by: Ekansh Gupta <quic_ekangupt@quicinc.com> You always test your own patches, so no need to declare this. > Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > --- > Changes in v2: > - Added fixes information to commit text > > drivers/misc/fastrpc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index 9666d28..75da69a 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -313,7 +313,7 @@ static void fastrpc_free_map(struct kref *ref) > > map = container_of(ref, struct fastrpc_map, refcount); > > - if (map->table) { > + if (map->table && !IS_ERR(map->table)) { Rather than carrying around an IS_ERR(map->table), I think you should address this at the originating place. E.g. assign the return value of the dma_buf_map_attachment_unlocked() to a local variable and only if it is valid you assign map->table. Or perhaps make it NULL in the error path. Regards, Bjorn > if (map->attr & FASTRPC_ATTR_SECUREMAP) { > struct qcom_scm_vmperm perm; > int vmid = map->fl->cctx->vmperms[0].vmid; > -- > 2.7.4 >
On 7/26/2023 12:00 PM, Bjorn Andersson wrote: > On Mon, Jul 24, 2023 at 12:39:31PM +0530, Ekansh Gupta wrote: >> Scatterlist table is obtained during map create request and the same > > I'm guessing that this all happens in fastrpc_map_create() where: > > map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); > > fails, we jump to map_err, and then call fastrpc_map_put(map), which > then ends up in the code below? > yes, your understanding is correct. >> table is used for DMA mapping unmap. In case there is any failure >> while getting the sg_table, ERR_PTR is returned instead of sg_table. > > The problem isn't that ERR_PTR() is being returned, the problem is that > this is being assigned to map->table and you keep running. > >> >> When the map is getting freed, there is only a non-NULL check of >> sg_table which will also be true in case failure was returned instead >> of sg_table. This would result in improper unmap request. Add proper >> check to avoid bad unmap request. >> >> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") >> Cc: stable <stable@kernel.org> >> Tested-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > > You always test your own patches, so no need to declare this. > sure, I'll avoid adding this for future changes. >> Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> >> --- >> Changes in v2: >> - Added fixes information to commit text >> >> drivers/misc/fastrpc.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c >> index 9666d28..75da69a 100644 >> --- a/drivers/misc/fastrpc.c >> +++ b/drivers/misc/fastrpc.c >> @@ -313,7 +313,7 @@ static void fastrpc_free_map(struct kref *ref) >> >> map = container_of(ref, struct fastrpc_map, refcount); >> >> - if (map->table) { >> + if (map->table && !IS_ERR(map->table)) { > > Rather than carrying around an IS_ERR(map->table), I think you should > address this at the originating place. E.g. assign the return value of > the dma_buf_map_attachment_unlocked() to a local variable and only if it > is valid you assign map->table. Or perhaps make it NULL in the error > path. > understood, this looks much cleaner solution. I'll update this in the next patch. Thanks for taking your time to review this change, Bjorn. --ekansh > Regards, > Bjorn > >> if (map->attr & FASTRPC_ATTR_SECUREMAP) { >> struct qcom_scm_vmperm perm; >> int vmid = map->fl->cctx->vmperms[0].vmid; >> -- >> 2.7.4 >>
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 9666d28..75da69a 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -313,7 +313,7 @@ static void fastrpc_free_map(struct kref *ref) map = container_of(ref, struct fastrpc_map, refcount); - if (map->table) { + if (map->table && !IS_ERR(map->table)) { if (map->attr & FASTRPC_ATTR_SECUREMAP) { struct qcom_scm_vmperm perm; int vmid = map->fl->cctx->vmperms[0].vmid;