The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@xxxxxxxxxxxxxxx>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x a2cb9cd6a3949a3804ad9fd7da234892ce6719ec # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable@xxxxxxxxxxxxxxx>' --in-reply-to '2023091639-gallantly-pellet-e738@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: a2cb9cd6a394 ("misc: fastrpc: Fix incorrect DMA mapping unmap request") 791da5c7fedb ("misc: fastrpc: Prepare to dynamic dma-buf locking specification") e90d91190619 ("misc: fastrpc: Add support to secure memory map") 7f1f481263c3 ("misc: fastrpc: check before loading process to the DSP") 3abe3ab3cdab ("misc: fastrpc: add secure domain support") 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities") 5c1b97c7d7b7 ("misc: fastrpc: add support for FASTRPC_IOCTL_MEM_MAP/UNMAP") 965602eabb57 ("misc: fastrpc: separate fastrpc device from channel context") 304b0ba0a21b ("misc: fastrpc: Update number of max fastrpc sessions") 6010d9befc8d ("misc: fastrpc: add ioctl for attaching to sensors pd") 84195d206e1f ("misc: fastrpc: define names for protection domain ids") 7c920da30e04 ("misc: fastrpc: fix indentation error in uapi header") 0978de9fc733 ("misc: fastrpc: Fix an incomplete memory release in fastrpc_rpmsg_probe()") 2d10d2d17072 ("misc: fastrpc: fix memory leak from miscdev->name") 2419e55e532d ("misc: fastrpc: add mmap/unmap support") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From a2cb9cd6a3949a3804ad9fd7da234892ce6719ec Mon Sep 17 00:00:00 2001 From: Ekansh Gupta <quic_ekangupt@xxxxxxxxxxx> Date: Fri, 11 Aug 2023 12:56:42 +0100 Subject: [PATCH] misc: fastrpc: Fix incorrect DMA mapping unmap request Scatterlist table is obtained during map create request and the same table is used for DMA mapping unmap. In case there is any failure while getting the sg_table, ERR_PTR is returned instead of sg_table. When the map is getting freed, there is only a non-NULL check of sg_table which will also be true in case failure was returned instead of sg_table. This would result in improper unmap request. Add proper check before setting map table to avoid bad unmap request. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable <stable@xxxxxxxxxx> Signed-off-by: Ekansh Gupta <quic_ekangupt@xxxxxxxxxxx> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx> Link: https://lore.kernel.org/r/20230811115643.38578-3-srinivas.kandagatla@xxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 7d8818a4089f..0b376d9a2744 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -757,6 +757,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, { struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; + struct sg_table *table; int err = 0; if (!fastrpc_map_lookup(fl, fd, ppmap, true)) @@ -784,11 +785,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, goto attach_err; } - map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); - if (IS_ERR(map->table)) { - err = PTR_ERR(map->table); + table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); + if (IS_ERR(table)) { + err = PTR_ERR(table); goto map_err; } + map->table = table; if (attr & FASTRPC_ATTR_SECUREMAP) { map->phys = sg_phys(map->table->sgl);