[0/3] misc: fastrpc: fix memory corruption

Message ID	20220829080531.29681-1-johan+linaro@kernel.org
Headers	show Return-Path: <linux-arm-msm-owner@kernel.org> From: Johan Hovold <johan+linaro@kernel.org> To: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>, Amol Maheshwari <amahesh@qti.qualcomm.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Arnd Bergmann <arnd@arndb.de>, Bjorn Andersson <andersson@kernel.org>, Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold <johan+linaro@kernel.org> Subject: [PATCH 0/3] misc: fastrpc: fix memory corruption Date: Mon, 29 Aug 2022 10:05:28 +0200 Message-Id: <20220829080531.29681-1-johan+linaro@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	misc: fastrpc: fix memory corruption \| expand [0/3] misc: fastrpc: fix memory corruption [1/3] misc: fastrpc: fix memory corruption on probe [2/3] misc: fastrpc: fix memory corruption on open [3/3] misc: fastrpc: increase maximum session count

Message ID

20220829080531.29681-1-johan+linaro@kernel.org

Headers

From: Johan Hovold <johan+linaro@kernel.org>
To: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
        Amol Maheshwari <amahesh@qti.qualcomm.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Bjorn Andersson <andersson@kernel.org>,
        Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
        linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Johan Hovold <johan+linaro@kernel.org>
Subject: [PATCH 0/3] misc: fastrpc: fix memory corruption
Date: Mon, 29 Aug 2022 10:05:28 +0200
Message-Id: <20220829080531.29681-1-johan+linaro@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

misc: fastrpc: fix memory corruption | expand

Message

Johan Hovold Aug. 29, 2022, 8:05 a.m. UTC

The fastrpc driver uses a fixed-sized array to store its sessions but
missing and broken sanity checks could lead to memory beyond the array
being corrupted.

This specifically happens on SC8280XP platforms that use 14 sessions for
the compute DSP.

These are all needed for 6.0.

Johan


Johan Hovold (3):
  misc: fastrpc: fix memory corruption on probe
  misc: fastrpc: fix memory corruption on open
  misc: fastrpc: increase maximum session count

 drivers/misc/fastrpc.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

Comments

Srinivas Kandagatla Sept. 2, 2022, 10:02 a.m. UTC | #1

Hi Johan,

On 29/08/2022 09:05, Johan Hovold wrote:
> The fastrpc driver uses a fixed-sized array to store its sessions but
> missing and broken sanity checks could lead to memory beyond the array
> being corrupted.
> 
> This specifically happens on SC8280XP platforms that use 14 sessions for
> the compute DSP.
> 
Thanks for doing this.

I see that we hit this issue once again, and the way we are fixing it is 
not really scalable. We should really get rid of FASTRPC_MAX_SESSIONS.

We should allocate the sessions dynamically based in the child node 
count and qcom,nsessions.



thanks,
Srini

> These are all needed for 6.0.
> 
> Johan
> 
> 
> Johan Hovold (3):
>    misc: fastrpc: fix memory corruption on probe
>    misc: fastrpc: fix memory corruption on open
>    misc: fastrpc: increase maximum session count
> 
>   drivers/misc/fastrpc.c | 14 +++++++++-----
>   1 file changed, 9 insertions(+), 5 deletions(-)
>

Johan Hovold Sept. 2, 2022, 12:28 p.m. UTC | #2

On Fri, Sep 02, 2022 at 11:02:35AM +0100, Srinivas Kandagatla wrote:
> Hi Johan,
> 
> On 29/08/2022 09:05, Johan Hovold wrote:
> > The fastrpc driver uses a fixed-sized array to store its sessions but
> > missing and broken sanity checks could lead to memory beyond the array
> > being corrupted.
> > 
> > This specifically happens on SC8280XP platforms that use 14 sessions for
> > the compute DSP.
> > 
> Thanks for doing this.
> 
> I see that we hit this issue once again, and the way we are fixing it is 
> not really scalable. We should really get rid of FASTRPC_MAX_SESSIONS.

Yeah, I was a bit surprised to find that the underlying bugs (i.e. the
incomplete sanity checks) weren't fixed the last time this memory
corruption was reported:

	https://lore.kernel.org/all/1632123274-32054-1-git-send-email-jeyr@codeaurora.org/

> We should allocate the sessions dynamically based in the child node 
> count and qcom,nsessions.

That sounds like it would be an improvement.

But at least now you'll get an error message during probe rather than
silent memory corruption when bringing up a new SoC that needs more than
the current maximum number of sessions.

Johan