[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250806115114.688814-4-quic_lxu5@quicinc.com>
Date: Wed, 6 Aug 2025 17:21:13 +0530
From: Ling Xu <quic_lxu5@...cinc.com>
To: <srini@...nel.org>, <amahesh@....qualcomm.com>, <arnd@...db.de>,
<gregkh@...uxfoundation.org>, <sumit.semwal@...aro.org>,
<christian.koenig@....com>, <thierry.escande@...aro.org>,
<quic_vgattupa@...cinc.com>
CC: <quic_kuiw@...cinc.com>, <ekansh.gupta@....qualcomm.com>,
<dri-devel@...ts.freedesktop.org>, <linux-arm-msm@...r.kernel.org>,
<linux-media@...r.kernel.org>, <linaro-mm-sig@...ts.linaro.org>,
<linux-kernel@...r.kernel.org>, Ling Xu <quic_lxu5@...cinc.com>,
<stable@...nel.org>
Subject: [PATCH v2 3/4] misc: fastrpc: fix possible map leak in fastrpc_put_args
copy_to_user() failure would cause an early return without cleaning up
the fdlist, which has been updated by the DSP. This could lead to map
leak. Fix this by redirecting to a cleanup path on failure, ensuring
that all mapped buffers are properly released before returning.
Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@...nel.org
Co-developed-by: Ekansh Gupta <ekansh.gupta@....qualcomm.com>
Signed-off-by: Ekansh Gupta <ekansh.gupta@....qualcomm.com>
Signed-off-by: Ling Xu <quic_lxu5@...cinc.com>
---
drivers/misc/fastrpc.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 1815b1e0c607..d950a179bff8 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1085,6 +1085,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx *ctx,
struct fastrpc_phy_page *pages;
u64 *fdlist;
int i, inbufs, outbufs, handles;
+ int ret = 0;
inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
@@ -1100,14 +1101,17 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx *ctx,
u64 len = rpra[i].buf.len;
if (!kernel) {
- if (copy_to_user((void __user *)dst, src, len))
- return -EFAULT;
+ if (copy_to_user((void __user *)dst, src, len)) {
+ ret = -EFAULT;
+ goto cleanup_fdlist;
+ }
} else {
memcpy(dst, src, len);
}
}
}
+cleanup_fdlist:
/* Clean up fdlist which is updated by DSP */
for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
if (!fdlist[i])
@@ -1116,7 +1120,7 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx *ctx,
fastrpc_map_put(mmap);
}
- return 0;
+ return ret;
}
static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx,
--
2.34.1
Powered by blists - more mailing lists