From patchwork Thu Aug 22 10:59:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ekansh Gupta X-Patchwork-Id: 821373 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E46FB183CDC; Thu, 22 Aug 2024 10:59:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324397; cv=none; b=DVJGUJvBTsx9xnpdeHo9/vlK8k79sxhhZGHwl6lZcuZN54JOLVt7Av1OgFBk+qWyBVErpv7sk+nc+wVprQLi1wGRkKy7wVavbS5whHySiaRcZrMLIBQ395+LQswj8SuSEjP4gPOXUkBuzIsxAztsW+UcyB8foHZ7QEpIN60lBVE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324397; c=relaxed/simple; bh=iPLiXmsju+GWJF2Q+G4dzSJazoK8hX2YCiO2z58Gp4A=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=cMonV/pbhVkd3dB070DLUvjQrx5CgDWXq/lRTxuulgbaPROK1H3M4TKnCcO+yazdenyr5FAAYGNtzsIOxV5Bo7r+SQi4KOU0OZe7Gp29jrHrVgFctuDDLTrhmFHF2ZPr5YCp5kSgY1H7s3BPKsGPhGTIf/6/ToMUILby3ex1FEk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=orAfzJCT; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="orAfzJCT" Received: from pps.filterd (m0279865.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47MAKSSE027852; Thu, 22 Aug 2024 10:59:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= y3VYmhAvTw1jsJJZ4jGxGwDqPaXUOWyfhjRBo9V1gqQ=; b=orAfzJCTnQ3B/Dql 8NTGsSZ0iSys0C24UWrBPY1GWz+X4eBJiIB0at9RjXuWUJOmFH8+b/eQkKjUVNhj H48PJt10+tiwDLcnrvHlKpHeSWqJzyERscLuoUMiYOFIXjcmrvV1RcnPTomzul1Y PuWtaPPmZHI2luvGGSL3fjj3JhtS4nIwFRt5Vx2KayW/ROq4U4Q6ospw1p9gXZOi NfWsYgXoIZiDCoJZRaFSqrzMKDikXgnRcw9faG/ri+NYaIXbzCblThIzwJG3hTWh F4eCnx/Py9+F1I0sfLLA2QuSJ7YQzWKZ3dEJ9dXp2HchhFHmsTR3QeQLfIisU62I s1WxXw== Received: from nalasppmta02.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 414v5cej5h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:48 +0000 (GMT) Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com [10.47.209.197]) by NALASPPMTA02.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 47MAxmb7009957 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:48 GMT Received: from hu-ekangupt-hyd.qualcomm.com (10.80.80.8) by nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Thu, 22 Aug 2024 03:59:44 -0700 From: Ekansh Gupta To: , CC: , , , , , , stable Subject: [PATCH v1 1/3] misc: fastrpc: Save actual DMA size in fastrpc_map structure Date: Thu, 22 Aug 2024 16:29:31 +0530 Message-ID: <20240822105933.2644945-2-quic_ekangupt@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> References: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01b.na.qualcomm.com (10.47.209.197) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: KlqIxvTbww20sYTdPQRcUyI-PrOcwk7- X-Proofpoint-ORIG-GUID: KlqIxvTbww20sYTdPQRcUyI-PrOcwk7- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-22_03,2024-08-22_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 spamscore=0 adultscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 phishscore=0 priorityscore=1501 clxscore=1011 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2408220081 For user passed fd buffer, map is created using DMA calls. The map related information is stored in fastrpc_map structure. The actual DMA size is not stored in the structure. Store the actual size of buffer and check it against the user passed size. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable Signed-off-by: Ekansh Gupta Reviewed-by: Dmitry Baryshkov --- drivers/misc/fastrpc.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 5204fda51da3..bcfb8ce1a0e3 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -322,11 +322,11 @@ static void fastrpc_free_map(struct kref *ref) perm.vmid = QCOM_SCM_VMID_HLOS; perm.perm = QCOM_SCM_PERM_RWX; - err = qcom_scm_assign_mem(map->phys, map->size, + err = qcom_scm_assign_mem(map->phys, map->len, &src_perms, &perm, 1); if (err) { dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size 0x%llx err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); return; } } @@ -757,7 +757,8 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; struct sg_table *table; - int err = 0; + struct scatterlist *sgl = NULL; + int err = 0, sgl_index = 0; if (!fastrpc_map_lookup(fl, fd, ppmap, true)) return 0; @@ -797,7 +798,15 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, map->phys = sg_dma_address(map->table->sgl); map->phys += ((u64)fl->sctx->sid << 32); } - map->size = len; + for_each_sg(map->table->sgl, sgl, map->table->nents, + sgl_index) + map->size += sg_dma_len(sgl); + if (len > map->size) { + dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n", + len, map->size); + err = -EINVAL; + goto map_err; + } map->va = sg_virt(map->table->sgl); map->len = len; @@ -814,10 +823,10 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, dst_perms[1].vmid = fl->cctx->vmperms[0].vmid; dst_perms[1].perm = QCOM_SCM_PERM_RWX; map->attr = attr; - err = qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_perms, 2); + err = qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_perms, 2); if (err) { dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%llx err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); goto map_err; } } @@ -2044,7 +2053,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) args[0].length = sizeof(req_msg); pages.addr = map->phys; - pages.size = map->size; + pages.size = map->len; args[1].ptr = (u64) (uintptr_t) &pages; args[1].length = sizeof(pages); @@ -2059,7 +2068,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[0]); if (err) { dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n", - req.fd, req.vaddrin, map->size); + req.fd, req.vaddrin, map->len); goto err_invoke; } @@ -2072,7 +2081,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) if (copy_to_user((void __user *)argp, &req, sizeof(req))) { /* unmap the memory and release the buffer */ req_unmap.vaddr = (uintptr_t) rsp_msg.vaddr; - req_unmap.length = map->size; + req_unmap.length = map->len; fastrpc_req_mem_unmap_impl(fl, &req_unmap); return -EFAULT; } From patchwork Thu Aug 22 10:59:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ekansh Gupta X-Patchwork-Id: 822251 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BBB0184547; Thu, 22 Aug 2024 11:00:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324402; cv=none; b=FBYFuXMuis0TfwDMWMAK92kq1HiBFgu+WIdBIFWM8Kj2sOns1w5p64PwPBRvjNQYKL7rg1OpPFp8wxPTbp318X+1R8Li/llljYYkOOc0ml/4DvNgnAdLGIlikSDyfZ+PcQ+RNsV7yx/luaDsRK4/dcDa4PCT/vKUceJbDtYzguM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324402; c=relaxed/simple; bh=hLmDJa9aAeNHiBw2HeP/cGdHdS19dl2jt8ZgJiFvgLQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QShwn2wQ0OkQOoi5Dvgl9tZQIsU6J5pu/Y2DMiiS7IAhl1dg9/j+AJ4riveXB9lnAaLPYn+RQT0smEr80TswnwWtgtcVtso3kWhx/IK1kdEZXYFToaq2TYOOq2im02PLIJ+a31BKuZoh40uitlP/k0/DIY31o5FBwmsGAh+Gjts= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=hBv95igZ; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="hBv95igZ" Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47M9hcai027666; Thu, 22 Aug 2024 10:59:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= JKK7A/kF+vJaD1FUyqKKnyYbC0E+CuAe5MSR7PbPUCo=; b=hBv95igZxbmiGgM7 JwigEmDGowUDv5emRRrCX85RQIntCQnKGlvRYxntkmlmqikxPfgoiJ7DB0Acxx88 pij/NyznZXix5rqdGrYd0k6CZtuQXH7jQwi0TQTnFh0yOsKMtBASjAMXmTNT88jz 7Z0eXL7mjvxmElI4/DU6nUncZ01ufTBgUueuIxh2s+LOySPDr+i0mG41wT0/Lptx CqIRWr0BnyQEp97fKW6YNl1LaPlMecZ6S7r/w85F2srCKe1Lmq0HLoKN/8qB92/s Vo0wflp3OWViug2PpsYMfIeFIyW1jTsmrIBpWaYJx6hYnOOYpk7QhTUONTEMgIjA aGL2jQ== Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 414j578jy3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:52 +0000 (GMT) Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com [10.47.209.197]) by NALASPPMTA01.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 47MAxpWH006274 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:51 GMT Received: from hu-ekangupt-hyd.qualcomm.com (10.80.80.8) by nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Thu, 22 Aug 2024 03:59:48 -0700 From: Ekansh Gupta To: , CC: , , , , , , stable Subject: [PATCH v1 2/3] misc: fastrpc: Fix fastrpc_map_lookup operation Date: Thu, 22 Aug 2024 16:29:32 +0530 Message-ID: <20240822105933.2644945-3-quic_ekangupt@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> References: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01b.na.qualcomm.com (10.47.209.197) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: bfBwXMDQffYc1zbO4d41ZZPNU9-901ck X-Proofpoint-GUID: bfBwXMDQffYc1zbO4d41ZZPNU9-901ck X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-22_03,2024-08-22_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 bulkscore=0 phishscore=0 impostorscore=0 adultscore=0 suspectscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2408220080 Fastrpc driver creates maps for user allocated fd buffers. Before creating a new map, the map list is checked for any already existing maps using map fd. Checking with just map fd is not sufficient as the user can pass offsetted buffer with less size when the map is created and then a larger size the next time which could result in memory issues. Check for user passed VA and length also when looking up for the map. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable Signed-off-by: Ekansh Gupta --- drivers/misc/fastrpc.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index bcfb8ce1a0e3..ebe828770a8d 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -362,7 +362,8 @@ static int fastrpc_map_get(struct fastrpc_map *map) static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, - struct fastrpc_map **ppmap, bool take_ref) + u64 va, u64 len, struct fastrpc_map **ppmap, + bool take_ref) { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; @@ -370,7 +371,8 @@ static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, spin_lock(&fl->lock); list_for_each_entry(map, &fl->maps, node) { - if (map->fd != fd) + if (map->fd != fd || va < (u64)map->va || + va + len > (u64)map->va + map->size) continue; if (take_ref) { @@ -752,7 +754,8 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops = { }; static int fastrpc_map_create(struct fastrpc_user *fl, int fd, - u64 len, u32 attr, struct fastrpc_map **ppmap) + u64 va, u64 len, u32 attr, + struct fastrpc_map **ppmap) { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; @@ -760,7 +763,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, struct scatterlist *sgl = NULL; int err = 0, sgl_index = 0; - if (!fastrpc_map_lookup(fl, fd, ppmap, true)) + if (!fastrpc_map_lookup(fl, fd, va, len, ppmap, true)) return 0; map = kzalloc(sizeof(*map), GFP_KERNEL); @@ -807,7 +810,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, err = -EINVAL; goto map_err; } - map->va = sg_virt(map->table->sgl); + map->va = (void *)(uintptr_t)va; map->len = len; if (attr & FASTRPC_ATTR_SECUREMAP) { @@ -920,7 +923,8 @@ static int fastrpc_create_maps(struct fastrpc_invoke_ctx *ctx) continue; err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, - ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + (u64)ctx->args[i].ptr, ctx->args[i].length, + ctx->args[i].attr, &ctx->maps[i]); if (err) { dev_err(dev, "Error Creating map %d\n", err); return -EINVAL; @@ -1106,7 +1110,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx *ctx, for (i = 0; i < FASTRPC_MAX_FDLIST; i++) { if (!fdlist[i]) break; - if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) + if (!fastrpc_map_lookup(fl, (int)fdlist[i], 0, 0, &mmap, false)) fastrpc_map_put(mmap); } @@ -1412,7 +1416,8 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl, fl->pd = USER_PD; if (init.filelen && init.filefd) { - err = fastrpc_map_create(fl, init.filefd, init.filelen, 0, &map); + err = fastrpc_map_create(fl, init.filefd, init.file, + init.filelen, 0, &map); if (err) goto err; } @@ -2034,7 +2039,8 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) return -EFAULT; /* create SMMU mapping */ - err = fastrpc_map_create(fl, req.fd, req.length, 0, &map); + err = fastrpc_map_create(fl, req.fd, req.vaddrin, req.length, + 0, &map); if (err) { dev_err(dev, "failed to map buffer, fd = %d\n", req.fd); return err; From patchwork Thu Aug 22 10:59:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ekansh Gupta X-Patchwork-Id: 821372 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED4D4184551; Thu, 22 Aug 2024 11:00:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324403; cv=none; b=MpCo7tQE/mLlbTxh+Tpgxti/OZoAtipuaxL1FrxeCvRwKORdvV8VHSRSMeJyBxJ2A4szCQrxFrX2yr4W44Bg5wyO6o87+1we/0vodR5JoJhsABoikZqPFCoc1QiPv4qG1wjYb7svb+scCk/6e/+vj9bVsheeYcceG258Lbfv+pM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724324403; c=relaxed/simple; bh=ftpARBDVSOINYSY49FomyfaoJ/hYTZRwJMBbqkqTY/0=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=MJGZnHScShMyTy6QoAI26YjRO4DdON8PL4qKpSWvFJGAsnk9825cdzb4PJ1+Km3BmzSI/zOyEiP0+vqrU5Ne7NQshhKd6xm+5UL7G0qrSJuIClyyuHfUixt4wsB6f3goDLEiUrzyVaL7B5ALaLFCu/UI+rt7iOMCm+DUtqluxtM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=h8vrMuTK; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="h8vrMuTK" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47M9Op2m001444; Thu, 22 Aug 2024 10:59:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= sCNtADH6kP3rE4w/Nyr4Fckfz/UXQrBUsaH0+FahJ18=; b=h8vrMuTKSp4yPYMW Nea3LHn/Fgob/IkiRs+xoA/0NwHe3Dz+7C3JfZ86Q9AyVQ3BlLkba59ZUvmPr6uN +AsutMuKY2BocnT5OQku51Wq/4eA1ZGZ0PYOS7yDhQVWxmYwvCcGH1kR02etrXa8 0cf7kwozJguxo3a86E3HA+LMDv/FFb8CUBDp+D9IGdEeixIAjk1dbypM4SZYhCsT Rg9wwp5n2XilSmG8OWg5LIyPqVqg+DaG/ISrYG8IucycwID3gDxkRed4mTjsMFXj Em0kXykzCRe41cgOmtdtkX05TnqeBgA+74GZTdTARsxGdMNtyfR3V2zc/mdn52NE LNu0rA== Received: from nalasppmta05.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 415nrrt2xk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:55 +0000 (GMT) Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com [10.47.209.197]) by NALASPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 47MAxsEr023085 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 10:59:54 GMT Received: from hu-ekangupt-hyd.qualcomm.com (10.80.80.8) by nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Thu, 22 Aug 2024 03:59:51 -0700 From: Ekansh Gupta To: , CC: , , , , , , stable Subject: [PATCH v1 3/3] misc: fastrpc: Skip reference for DMA handles Date: Thu, 22 Aug 2024 16:29:33 +0530 Message-ID: <20240822105933.2644945-4-quic_ekangupt@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> References: <20240822105933.2644945-1-quic_ekangupt@quicinc.com> Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01b.na.qualcomm.com (10.47.209.197) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: Sq62xZ1lzNDHqXiJUBFQpPA0Hr3DXlwg X-Proofpoint-GUID: Sq62xZ1lzNDHqXiJUBFQpPA0Hr3DXlwg X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-22_03,2024-08-22_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 clxscore=1015 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2408220081 If multiple dma handles are passed with same fd over a remote call the kernel driver takes a reference and expects that put for the map will be called as many times to free the map. But DSP only updates the fd one time in the fd list when the DSP refcount goes to zero and hence kernel make put call only once for the fd. This can cause SMMU fault issue as the same fd can be used in future for some other call. Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation") Cc: stable Signed-off-by: Ekansh Gupta --- drivers/misc/fastrpc.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index ebe828770a8d..ad56e918e1f8 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -755,7 +755,7 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops = { static int fastrpc_map_create(struct fastrpc_user *fl, int fd, u64 va, u64 len, u32 attr, - struct fastrpc_map **ppmap) + struct fastrpc_map **ppmap, bool take_ref) { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; @@ -763,7 +763,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, struct scatterlist *sgl = NULL; int err = 0, sgl_index = 0; - if (!fastrpc_map_lookup(fl, fd, va, len, ppmap, true)) + if (!fastrpc_map_lookup(fl, fd, va, len, ppmap, take_ref)) return 0; map = kzalloc(sizeof(*map), GFP_KERNEL); @@ -917,14 +917,17 @@ static int fastrpc_create_maps(struct fastrpc_invoke_ctx *ctx) int i, err; for (i = 0; i < ctx->nscalars; ++i) { + bool take_ref = true; if (ctx->args[i].fd == 0 || ctx->args[i].fd == -1 || ctx->args[i].length == 0) continue; + if (i >= ctx->nbufs) + take_ref = false; err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, (u64)ctx->args[i].ptr, ctx->args[i].length, - ctx->args[i].attr, &ctx->maps[i]); + ctx->args[i].attr, &ctx->maps[i], take_ref); if (err) { dev_err(dev, "Error Creating map %d\n", err); return -EINVAL; @@ -1417,7 +1420,7 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl, if (init.filelen && init.filefd) { err = fastrpc_map_create(fl, init.filefd, init.file, - init.filelen, 0, &map); + init.filelen, 0, &map, true); if (err) goto err; } @@ -2040,7 +2043,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) /* create SMMU mapping */ err = fastrpc_map_create(fl, req.fd, req.vaddrin, req.length, - 0, &map); + 0, &map, true); if (err) { dev_err(dev, "failed to map buffer, fd = %d\n", req.fd); return err;