FROMLIST: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context#517
FROMLIST: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context#517quic-anane wants to merge 1 commit into
Conversation
Update the patch for adding refcount for fastrpc user structure. Signed-off-by: Anandu Krishnan E <anane@qti.qualcomm.com>
quic-anane
requested review from
a team,
mukeshojha-linux,
ndechesne and
quicAspratap
Test Matrix
|
shashim-quic
left a comment
shashim-quic
left a comment
There was a problem hiding this comment.
send it to upstream and bring as FROMLIST
currently this branch has the v1 version of the patch i send (https://lore.kernel.org/all/20260226151121.818852-1-anandu.e@oss.qualcomm.com/) now i have shared v3 version of patch to community (https://lore.kernel.org/all/20260428073334.934358-1-anandu.e@oss.qualcomm.com/) how can i update the same here ? |
shashim-quic
left a comment
shashim-quic
left a comment
There was a problem hiding this comment.
misc: fastrpc: Update to v3 patch
Update the patch for adding refcount for fastrpc
user structure.Signed-off-by: Anandu Krishnan E anane@qti.qualcomm.com
Add FROMLIST (or other relevant) prefix and add Link: tag in commit log pointing to valid lore link.
quic-anane
changed the title
shashim-quic
left a comment
shashim-quic
left a comment
There was a problem hiding this comment.
misc: fastrpc: Update to v3 patch
Update the patch for adding refcount for fastrpc
user structure.Signed-off-by: Anandu Krishnan E anane@qti.qualcomm.com
You need to bring what is submitted in upstream as it is with FROMLIST: prefix and Link: tag added in commit log. Refer how others are doing.
|
close , will be raising new with revert |
4 participants
There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:
fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the
physical address to dma_free_coherent().
fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the
qcom_scm_assign_mem() call that returns memory from the DSP VM
back to HLOS.
fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450
worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.
Link: https://lore.kernel.org/all/20260428073334.934358-1-anandu.e@oss.qualcomm.com/
Fixes: 6cffd79 ("misc: fastrpc: Add support for dmabuf exporter")
Cc: stable@kernel.org
Signed-off-by: Anandu Krishnan E anandu.e@oss.qualcomm.com