Message ID | 1690953032-17070-1-git-send-email-quic_ekangupt@quicinc.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9f41:0:b0:3e4:2afc:c1 with SMTP id v1csp252914vqx; Tue, 1 Aug 2023 23:42:14 -0700 (PDT) X-Google-Smtp-Source: APBJJlELpYS9qYeBwu/UedGRGowk7FT6B8HNaEFHOVoTm6zCUhdvY7l9tANZ17We5jQfD7MMBo/8 X-Received: by 2002:ac2:4d97:0:b0:4f9:5404:af5 with SMTP id g23-20020ac24d97000000b004f954040af5mr3718539lfe.46.1690958534244; Tue, 01 Aug 2023 23:42:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690958534; cv=none; d=google.com; s=arc-20160816; b=wcRnsjCZ09KGeB6ZTV8xe92GM6w8H350T68Id5CpyumwcbSJ6WqRwWLIMVWstuJ+Fe 47XdXGMSVVMjgkFgaqgeb6/U+WladkmJbqDFn8zcyQwM4Zm5palxoTESH1KHg3h+Lfcy o4WGxjTSdv5flyU5R3WoqUsyn7CqxgReHnhzgU+cidOaE9F7+LqgYbdzU6Zh2t1yKWm1 BTRT9FC7bAVntjG68zP70pubahfvOJg9wn2lRYc5q0cfrDAkxd7b+/tofKad38vbO86h 9diVuI9Rh8pv5vcNJNAqlun2g/DQJsvJfDonBd+XajdQ2IXxF8wiRQQyXBAq5crq+oSb 6LZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from :dkim-signature; bh=JGQQ2RRYZ1qf9bibWVUm1IHA4vj9lwvMXXEvTgPZB9s=; fh=TnMRDi3L0sQlniDGL1hLZ2IIl7MhP13XMPTS/HLyrTU=; b=p8EnwJ8SwjMzFwbjBGVIGv1oMN3PAwTEKN77MvVrjf1WnMQK9wYRbjKt6EvZYKZf+2 dbid0EHd2Z9gZrN+ybG50fzZgtdwSokbSRF2fORf/6seoWCUFlrsbDHeII1OV8mGvovC bjGNkSpCBkRpfqlc6ZK34drJN9BKnP3kzvultmOAz/sxoDQ7XkqgdBRLiQBNYU4DE/kl WO9418r1u6gA3XA4qFSc5B9cML/kj49XYtUuvu5L2W7scIuK+Zlw0pcahKyxTDGra/mI QOKjSqdo/52LgG/cL4PVTnPN2mTOU2hOAaEMgA8zq0U8H3Xw4SpgrNeLstUZsSw4YjQ1 Qs5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=BwGucw4c; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t20-20020a05640203d400b00522278e9bc4si8797942edw.651.2023.08.01.23.41.49; Tue, 01 Aug 2023 23:42:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=BwGucw4c; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232294AbjHBFKs (ORCPT <rfc822;maxi.paulin@gmail.com> + 99 others); Wed, 2 Aug 2023 01:10:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231903AbjHBFKq (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 2 Aug 2023 01:10:46 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7965D1FCB; Tue, 1 Aug 2023 22:10:44 -0700 (PDT) Received: from pps.filterd (m0279864.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3724WEPx028031; Wed, 2 Aug 2023 05:10:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-type; s=qcppdkim1; bh=JGQQ2RRYZ1qf9bibWVUm1IHA4vj9lwvMXXEvTgPZB9s=; b=BwGucw4cad6IJRVo6KTZ34lqAdCgdb/NXM6gSF1Z/NsI0zhryTDNxveTJogT3mR+rCRg Xogjwil1SrVOmzcc3ly/KQ3aEdoJjPFE9SiRCzVikk8Q5xnOwDH4mwE2YtGwufGmsWIR cWIPJhgdwBW+Pp9a8Zv5TUEf0DmzcW2REhsVsHicNvJa7BCnK/DkDYwecEWN0Cw1v2CR MrfVCtKvN/7GMi8mz3S1ersYW7t//CLFwk3KEgJWZkARmU1CXTMPrx0OUhnM9lgJv4eo CJGvnOFbPvqDvLWBcm4UYZaCpYI68yoXxMQdqsXK/VC76L/9XTcT2JCS26EkO8HTgomi 2Q== Received: from nalasppmta03.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s7adk8m0g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Aug 2023 05:10:40 +0000 Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com [10.47.209.197]) by NALASPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 3725AdmW023636 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 2 Aug 2023 05:10:39 GMT Received: from ekangupt-linux.qualcomm.com (10.80.80.8) by nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Tue, 1 Aug 2023 22:10:36 -0700 From: Ekansh Gupta <quic_ekangupt@quicinc.com> To: <srinivas.kandagatla@linaro.org>, <linux-arm-msm@vger.kernel.org> CC: Ekansh Gupta <quic_ekangupt@quicinc.com>, <ekangupt@qti.qualcomm.com>, <gregkh@linuxfoundation.org>, <linux-kernel@vger.kernel.org>, <fastrpc.upstream@qti.qualcomm.com>, stable <stable@kernel.org> Subject: [PATCH v3] misc: fastrpc: Fix incorrect DMA mapping unmap request Date: Wed, 2 Aug 2023 10:40:32 +0530 Message-ID: <1690953032-17070-1-git-send-email-quic_ekangupt@quicinc.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01b.na.qualcomm.com (10.47.209.197) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: gTMHd-1VJt47SGVj2KF1yS310-ZxNrcN X-Proofpoint-GUID: gTMHd-1VJt47SGVj2KF1yS310-ZxNrcN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-02_03,2023-08-01_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 priorityscore=1501 phishscore=0 bulkscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 mlxlogscore=967 adultscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308020046 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1773098536189298924 X-GMAIL-MSGID: 1773098536189298924 |
Series |
[v3] misc: fastrpc: Fix incorrect DMA mapping unmap request
|
|
Commit Message
Ekansh Gupta
Aug. 2, 2023, 5:10 a.m. UTC
Scatterlist table is obtained during map create request and the same
table is used for DMA mapping unmap. In case there is any failure
while getting the sg_table, ERR_PTR is returned instead of sg_table.
When the map is getting freed, there is only a non-NULL check of
sg_table which will also be true in case failure was returned instead
of sg_table. This would result in improper unmap request. Add proper
check before setting map table to avoid bad unmap request.
Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <stable@kernel.org>
Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
---
Changes in v2:
- Added fixes information to commit text
Changes in v3:
- Set map->table only if attachment for successful
drivers/misc/fastrpc.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Comments
On 02/08/2023 06:10, Ekansh Gupta wrote: > Scatterlist table is obtained during map create request and the same > table is used for DMA mapping unmap. In case there is any failure > while getting the sg_table, ERR_PTR is returned instead of sg_table. > > When the map is getting freed, there is only a non-NULL check of > sg_table which will also be true in case failure was returned instead > of sg_table. This would result in improper unmap request. Add proper > check before setting map table to avoid bad unmap request. > > Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") > Cc: stable <stable@kernel.org> > Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > --- > Changes in v2: > - Added fixes information to commit text > Changes in v3: > - Set map->table only if attachment for successful > > drivers/misc/fastrpc.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index 9666d28..de7c812 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, > { > struct fastrpc_session_ctx *sess = fl->sctx; > struct fastrpc_map *map = NULL; > + struct sg_table *table; > int err = 0; > > if (!fastrpc_map_lookup(fl, fd, ppmap, true)) > @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, > goto attach_err; > } > > - map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); > - if (IS_ERR(map->table)) { > - err = PTR_ERR(map->table); > + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL); Any reason why dma_buf_map_attachment_unlocked changed to dma_buf_map_attachment? --srini > + if (IS_ERR(table)) { > + err = PTR_ERR(table); > goto map_err; > } > + map->table = table; > > if (attr & FASTRPC_ATTR_SECUREMAP) { > map->phys = sg_phys(map->table->sgl);
On 8/2/2023 7:13 PM, Srinivas Kandagatla wrote: > > > On 02/08/2023 06:10, Ekansh Gupta wrote: >> Scatterlist table is obtained during map create request and the same >> table is used for DMA mapping unmap. In case there is any failure >> while getting the sg_table, ERR_PTR is returned instead of sg_table. >> >> When the map is getting freed, there is only a non-NULL check of >> sg_table which will also be true in case failure was returned instead >> of sg_table. This would result in improper unmap request. Add proper >> check before setting map table to avoid bad unmap request. >> >> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke >> method") >> Cc: stable <stable@kernel.org> >> Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> >> --- >> Changes in v2: >> - Added fixes information to commit text >> Changes in v3: >> - Set map->table only if attachment for successful >> >> drivers/misc/fastrpc.c | 8 +++++--- >> 1 file changed, 5 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c >> index 9666d28..de7c812 100644 >> --- a/drivers/misc/fastrpc.c >> +++ b/drivers/misc/fastrpc.c >> @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user >> *fl, int fd, >> { >> struct fastrpc_session_ctx *sess = fl->sctx; >> struct fastrpc_map *map = NULL; >> + struct sg_table *table; >> int err = 0; >> if (!fastrpc_map_lookup(fl, fd, ppmap, true)) >> @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct >> fastrpc_user *fl, int fd, >> goto attach_err; >> } >> - map->table = dma_buf_map_attachment_unlocked(map->attach, >> DMA_BIDIRECTIONAL); >> - if (IS_ERR(map->table)) { >> - err = PTR_ERR(map->table); >> + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL); > > Any reason why dma_buf_map_attachment_unlocked changed to > dma_buf_map_attachment? This is a mistake from my end. My local workspace had older version due to which the function also got reverted. I will fix this in new patch. Apologies for the confusion. > > --srini >> + if (IS_ERR(table)) { >> + err = PTR_ERR(table); >> goto map_err; >> } >> + map->table = table; >> if (attr & FASTRPC_ATTR_SECUREMAP) { >> map->phys = sg_phys(map->table->sgl);
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 9666d28..de7c812 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -756,6 +756,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; + struct sg_table *table; int err = 0; if (!fastrpc_map_lookup(fl, fd, ppmap, true)) @@ -783,11 +784,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, goto attach_err; } - map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); - if (IS_ERR(map->table)) { - err = PTR_ERR(map->table); + table = dma_buf_map_attachment(map->attach, DMA_BIDIRECTIONAL); + if (IS_ERR(table)) { + err = PTR_ERR(table); goto map_err; } + map->table = table; if (attr & FASTRPC_ATTR_SECUREMAP) { map->phys = sg_phys(map->table->sgl);