From patchwork Thu Aug 22 10:59:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ekansh Gupta X-Patchwork-Id: 822251 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BBB0184547; Thu, 22 Aug 2024 11:00:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324402; cv=none; b=FBYFuXMuis0TfwDMWMAK92kq1HiBFgu+WIdBIFWM8Kj2sOns1w5p64PwPBRvjNQYKL7rg1OpPFp8wxPTbp318X+1R8Li/llljYYkOOc0ml/4DvNgnAdLGIlikSDyfZ+PcQ+RNsV7yx/luaDsRK4/dcDa4PCT/vKUceJbDtYzguM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324402; c=relaxed/simple; bh=hLmDJa9aAeNHiBw2HeP/cGdHdS19dl2jt8ZgJiFvgLQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QShwn2wQ0OkQOoi5Dvgl9tZQIsU6J5pu/Y2DMiiS7IAhl1dg9/j+AJ4riveXB9lnAaLPYn+RQT0smEr80TswnwWtgtcVtso3kWhx/IK1kdEZXYFToaq2TYOOq2im02PLIJ+a31BKuZoh40uitlP/k0/DIY31o5FBwmsGAh+Gjts= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=hBv95igZ; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="hBv95igZ" Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47M9hcai027666; Thu, 22 Aug 2024 10:59:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= JKK7A/kF+vJaD1FUyqKKnyYbC0E+CuAe5MSR7PbPUCo=; b=hBv95igZxbmiGgM7 JwigEmDGowUDv5emRRrCX85RQIntCQnKGlvRYxntkmlmqikxPfgoiJ7DB0Acxx88 pij/NyznZXix5rqdGrYd0k6CZtuQXH7jQwi0TQTnFh0yOsKMtBASjAMXmTNT88jz 7Z0eXL7mjvxmElI4/DU6nUncZ01ufTBgUueuIxh2s+LOySPDr+i0mG41wT0/Lptx CqIRWr0BnyQEp97fKW6YNl1LaPlMecZ6S7r/w85F2srCKe1Lmq0HLoKN/8qB92/s Vo0wflp3OWViug2PpsYMfIeFIyW1jTsmrIBpWaYJx6hYnOOYpk7QhTUONTEMgIjA aGL2jQ== Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 414j578jy3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:52 +0000 (GMT) Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com [10.47.209.197]) by NALASPPMTA01.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 47MAxpWH006274 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:51 GMT Received: from hu-ekangupt-hyd.qualcomm.com (10.80.80.8) by nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Thu, 22 Aug 2024 03:59:48 -0700 From: Ekansh Gupta To: , CC: , , , , , , stable Subject: [PATCH v1 2/3] misc: fastrpc: Fix fastrpc_map_lookup operation Date: Thu, 22 Aug 2024 16:29:32 +0530 Message-ID: <20240822105933.2644945-3-quic_ekangupt@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> References: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01b.na.qualcomm.com (10.47.209.197) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: bfBwXMDQffYc1zbO4d41ZZPNU9-901ck X-Proofpoint-GUID: bfBwXMDQffYc1zbO4d41ZZPNU9-901ck X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-22_03,2024-08-22_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 bulkscore=0 phishscore=0 impostorscore=0 adultscore=0 suspectscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2408220080 Fastrpc driver creates maps for user allocated fd buffers. Before creating a new map, the map list is checked for any already existing maps using map fd. Checking with just map fd is not sufficient as the user can pass offsetted buffer with less size when the map is created and then a larger size the next time which could result in memory issues. Check for user passed VA and length also when looking up for the map. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable Signed-off-by: Ekansh Gupta --- drivers/misc/fastrpc.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index bcfb8ce1a0e3..ebe828770a8d 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -362,7 +362,8 @@ static int fastrpc_map_get(struct fastrpc_map *map) static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, - struct fastrpc_map **ppmap, bool take_ref) + u64 va, u64 len, struct fastrpc_map **ppmap, + bool take_ref) { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; @@ -370,7 +371,8 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, spin_lock(&fl->lock); list_for_each_entry(map, &fl->maps, node) { - if (map->fd != fd) + if (map->fd != fd || va < (u64)map->va || + va + len > (u64)map->va + map->size) continue; if (take_ref) { @@ -752,7 +754,8 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops = { }; static int fastrpc_map_create(struct fastrpc_user *fl, int fd, - u64 len, u32 attr, struct fastrpc_map **ppmap) + u64 va, u64 len, u32 attr, + struct fastrpc_map **ppmap) { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; @@ -760,7 +763,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, struct scatterlist *sgl = NULL; int err = 0, sgl_index = 0; - if (!fastrpc_map_lookup(fl, fd, ppmap, true)) + if (!fastrpc_map_lookup(fl, fd, va, len, ppmap, true)) return 0; map = kzalloc(sizeof(*map), GFP_KERNEL); @@ -807,7 +810,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, err = -EINVAL; goto map_err; } - map->va = sg_virt(map->table->sgl); + map->va = (void *)(uintptr_t)va; map->len = len; if (attr & FASTRPC_ATTR_SECUREMAP) { @@ -920,7 +923,8 @@ static int fastrpc_create_maps(struct fastrpc_invoke_ctx *ctx) continue; err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, - ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + (u64)ctx->args[i].ptr, ctx->args[i].length, + ctx->args[i].attr, &ctx->maps[i]); if (err) { dev_err(dev, "Error Creating map %d\n", err); return -EINVAL; @@ -1106,7 +1110,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx *ctx, for (i = 0; i < FASTRPC_MAX_FDLIST; i++) { if (!fdlist[i]) break; - if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) + if (!fastrpc_map_lookup(fl, (int)fdlist[i], 0, 0, &mmap, false)) fastrpc_map_put(mmap); } @@ -1412,7 +1416,8 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl, fl->pd = USER_PD; if (init.filelen && init.filefd) { - err = fastrpc_map_create(fl, init.filefd, init.filelen, 0, &map); + err = fastrpc_map_create(fl, init.filefd, init.file, + init.filelen, 0, &map); if (err) goto err; } @@ -2034,7 +2039,8 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) return -EFAULT; /* create SMMU mapping */ - err = fastrpc_map_create(fl, req.fd, req.length, 0, &map); + err = fastrpc_map_create(fl, req.fd, req.vaddrin, req.length, + 0, &map); if (err) { dev_err(dev, "failed to map buffer, fd = %d\n", req.fd); return err;