[PATCH 1/3] misc: fastrpc: reject oversized DMA allocations

[PATCH 1/3] misc: fastrpc: reject oversized DMA allocations

[Yousef Alhouseen]

FastRPC keeps invoke and mmap buffer sizes in u64 fields, but coherent
DMA allocation takes a size_t. On 32-bit builds, a size above SIZE_MAX
can be truncated before allocation while the larger value is still used
in the message sent to the DSP.

Reject sizes that cannot fit in size_t before allocating the DMA buffer.
Also make the inline payload alignment step overflow-aware so a
near-U64_MAX accumulator cannot wrap before the later bounds checks.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
 drivers/misc/fastrpc.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index bfdf8ab6a..8992b5c0c 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -437,6 +437,9 @@ static int __fastrpc_buf_alloc(struct fastrpc_user *fl, struct device *dev,
 {
 	struct fastrpc_buf *buf;
 
+	if (size > SIZE_MAX)
+		return -EOVERFLOW;
+
 	buf = kzalloc_obj(*buf);
 	if (!buf)
 		return -ENOMEM;
@@ -1035,8 +1038,14 @@ static int fastrpc_get_payload_size(struct fastrpc_invoke_ctx *ctx, int metalen,
 			u64 len = ctx->olaps[oix].mend -
 				  ctx->olaps[oix].mstart;
 
-			if (ctx->olaps[oix].offset == 0)
-				size = ALIGN(size, FASTRPC_ALIGN);
+			if (ctx->olaps[oix].offset == 0) {
+				u64 aligned;
+
+				if (check_add_overflow(size, FASTRPC_ALIGN - 1,
+						       &aligned))
+					return -EOVERFLOW;
+				size = aligned & ~(FASTRPC_ALIGN - 1);
+			}
 
 			if (check_add_overflow(size, len, &size))
 				return -EOVERFLOW;
-- 
2.54.0

[PATCH 2/3] misc: fastrpc: fix map cleanup paths

[Yousef Alhouseen]

fastrpc_create_maps() can attach dma-bufs for every scalar argument,
including handle arguments beyond the input and output buffer count.
fastrpc_context_free() only dropped references up to nbufs, leaving
handle maps attached after invoke cleanup.

fastrpc_map_attach() also falls through to fastrpc_map_put() after
manually detaching and putting the dma-buf on late errors. Leave the map
object in a state that matches the resources still owned by the release
path so the attachment and dma-buf are not released twice.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
 drivers/misc/fastrpc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 8992b5c0c..50f90e17e 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -580,7 +580,7 @@ static void fastrpc_context_free(struct kref *ref)
 	cctx = ctx->cctx;
 	fl = ctx->fl;
 
-	for (i = 0; i < ctx->nbufs; i++)
+	for (i = 0; i < ctx->nscalars; i++)
 		fastrpc_map_put(ctx->maps[i]);
 
 	if (ctx->buf)
@@ -917,7 +917,7 @@ static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
 	table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
 	if (IS_ERR(table)) {
 		err = PTR_ERR(table);
-		goto map_err;
+		goto detach_err;
 	}
 	map->table = table;
 
@@ -966,9 +966,15 @@ static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
 	return 0;
 
 map_err:
+	dma_buf_unmap_attachment_unlocked(map->attach, map->table,
+					  DMA_BIDIRECTIONAL);
+	map->table = NULL;
+detach_err:
 	dma_buf_detach(map->buf, map->attach);
+	map->attach = NULL;
 attach_err:
 	dma_buf_put(map->buf);
+	map->buf = NULL;
 get_err:
 	fastrpc_map_put(map);
 
-- 
2.54.0

[PATCH 3/3] misc: fastrpc: protect interrupted mmap cleanup

[Yousef Alhouseen]

The interrupted invoke path walks and moves fl->mmaps without holding
fl->lock, racing concurrent mmap and munmap operations that use the same
list. Move the buffers while holding the user lock and use list_del_init()
so later cleanup can safely identify moved nodes.

Buffers moved to the channel interrupted list are also discarded on rpmsg
removal without freeing their coherent DMA allocations. Free them during
channel removal so interrupted invokes cannot permanently leak DMA buffers.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
 drivers/misc/fastrpc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 50f90e17e..608878052 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1395,10 +1395,12 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl,  u32 kernel,
 
 bail:
 	if (err == -ERESTARTSYS) {
+		spin_lock(&fl->lock);
 		list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
-			list_del(&buf->node);
+			list_del_init(&buf->node);
 			list_add_tail(&buf->node, &fl->cctx->invoke_interrupted_mmaps);
 		}
+		spin_unlock(&fl->lock);
 	}
 
 	/* We are done with this compute context */
@@ -2628,8 +2630,10 @@ static void fastrpc_rpmsg_remove(struct rpmsg_device *rpdev)
 	if (cctx->secure_fdevice)
 		misc_deregister(&cctx->secure_fdevice->miscdev);
 
-	list_for_each_entry_safe(buf, b, &cctx->invoke_interrupted_mmaps, node)
-		list_del(&buf->node);
+	list_for_each_entry_safe(buf, b, &cctx->invoke_interrupted_mmaps, node) {
+		list_del_init(&buf->node);
+		fastrpc_buf_free(buf);
+	}
 
 	if (cctx->remote_heap)
 		fastrpc_buf_free(cctx->remote_heap);
-- 
2.54.0

Re: [PATCH 1/3] misc: fastrpc: reject oversized DMA allocations

[Greg Kroah-Hartman]

On Thu, Jun 25, 2026 at 10:56:57AM +0200, Yousef Alhouseen wrote:
> FastRPC keeps invoke and mmap buffer sizes in u64 fields, but coherent
> DMA allocation takes a size_t. On 32-bit builds, a size above SIZE_MAX
> can be truncated before allocation while the larger value is still used
> in the message sent to the DSP.
> 
> Reject sizes that cannot fit in size_t before allocating the DMA buffer.
> Also make the inline payload alignment step overflow-aware so a
> near-U64_MAX accumulator cannot wrap before the later bounds checks.
> 
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> ---
>  drivers/misc/fastrpc.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 

Are you forgetting to include the tool information that you used to
find/fix all of these issues?  And how are they being tested?

thanks,

greg k-h

Re: [PATCH 1/3] misc: fastrpc: reject oversized DMA allocations

[Yousef Alhouseen]

Hi Greg,

I found these by auditing the FastRPC ioctl and invoke paths after
Konrad pointed out that the related fixes should be grouped.

Testing was limited to git diff --check and checkpatch. I don't have
FastRPC hardware, and I could not do an object build in this tree
because bc is missing here.

I'll hold off on more FastRPC changes unless I can back them with a
tighter review and test story.

Thanks,
Yousef

On Thu, 25 Jun 2026 10:48:00 +0100, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Thu, Jun 25, 2026 at 10:56:57AM +0200, Yousef Alhouseen wrote:
> > FastRPC keeps invoke and mmap buffer sizes in u64 fields, but coherent
> > DMA allocation takes a size_t. On 32-bit builds, a size above SIZE_MAX
> > can be truncated before allocation while the larger value is still used
> > in the message sent to the DSP.
> >
> > Reject sizes that cannot fit in size_t before allocating the DMA buffer.
> > Also make the inline payload alignment step overflow-aware so a
> > near-U64_MAX accumulator cannot wrap before the later bounds checks.
> >
> > Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> > ---
> > drivers/misc/fastrpc.c | 13 +++++++++++--
> > 1 file changed, 11 insertions(+), 2 deletions(-)
> >
>
> Are you forgetting to include the tool information that you used to
> find/fix all of these issues? And how are they being tested?
>
> thanks,
>
> greg k-h