dri-devel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Ekansh Gupta" <ekansh.gupta@oss.qualcomm.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v13 1/4] misc: fastrpc: Move fdlist to invoke context structure
Date: Mon, 13 Jul 2026 05:34:48 +0000	[thread overview]
Message-ID: <20260713053448.CE5501F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713052236.3033744-2-ekansh.gupta@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Arbitrary kernel memory read to userspace via untrusted `rpra` pointers.
- [Critical] Use-After-Free via DSP-manipulated `fdlist` dropping active map references.
- [Medium] Memory leak of `fastrpc_map` objects on timeout or interruption.
--

--- Patch [1]: [PATCH v13 1/4] misc: fastrpc: Move fdlist to invoke context structure ---
commit 3273bebbc8c035be416508d67400b312f049c6e6
Author: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>

misc: fastrpc: Move fdlist to invoke context structure

This commit moves the fdlist from being recalculated during
fastrpc_put_args() to being stored directly in the fastrpc_invoke_ctx
structure. This centralizes its handling and simplifies the meta buffer
preparation and reading logic.

> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index d86e79134c681..02c2765e1188c 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c

[ ... ]

> @@ -1165,18 +1167,11 @@ static int fastrpc_put_args(struct fastrpc_invoke_ctx *ctx,
>  	union fastrpc_remote_arg *rpra = ctx->rpra;
>  	struct fastrpc_user *fl = ctx->fl;
>  	struct fastrpc_map *mmap = NULL;
> -	struct fastrpc_invoke_buf *list;
> -	struct fastrpc_phy_page *pages;
> -	u64 *fdlist;
> -	int i, inbufs, outbufs, handles;
> +	u64 *fdlist = ctx->fdlist;
> +	int i, inbufs;
>  	int ret = 0;
>  
>  	inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
> -	outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
> -	handles = REMOTE_SCALARS_INHANDLES(ctx->sc) + REMOTE_SCALARS_OUTHANDLES(ctx->sc);
> -	list = fastrpc_invoke_buf_start(rpra, ctx->nscalars);
> -	pages = fastrpc_phy_page_start(list, ctx->nscalars);
> -	fdlist = (uint64_t *)(pages + inbufs + outbufs + handles);
>  
>  	for (i = inbufs; i < ctx->nbufs; ++i) {
>  		if (!ctx->maps[i]) {

[Severity: Medium]
This is a pre-existing issue, but does this code leak the fastrpc_map
objects if an invoke operation times out or is interrupted?

If fastrpc_internal_invoke() exits early for timeouts or signals, it skips
fastrpc_put_args() and leaves the context in the pending list:

drivers/misc/fastrpc.c:fastrpc_internal_invoke() {
    ...
    if (err != -ERESTARTSYS && err != -ETIMEDOUT) {
        /* We are done with this compute context */
        spin_lock(&fl->lock);
        list_del(&ctx->node);
        spin_unlock(&fl->lock);
        fastrpc_context_put(ctx);
    }
    ...
}

When the DSP eventually replies, the completion callback asynchronously frees
the context via fastrpc_context_free(). However, fastrpc_context_free() does
not execute the fdlist cleanup logic:

drivers/misc/fastrpc.c:fastrpc_context_free() {
    ...
    for (i = 0; i < ctx->nbufs; i++)
        fastrpc_map_put(ctx->maps[i]);
    ...
}

Are maps the DSP returned in fdlist to be released permanently leaked in this
scenario?

[Severity: Critical]
This is a pre-existing issue, but can a compromised DSP cause a
use-after-free by manipulating the untrusted fdlist?

In fastrpc_put_args(), the kernel iterates over fdlist and drops references
for maps without verifying if they are actively in use by the current
context:

drivers/misc/fastrpc.c:fastrpc_put_args() {
    ...
    for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
        if (!fdlist[i])
            break;
        if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
            fastrpc_map_put(mmap);
    }
    ...
}

If a malicious DSP injects file descriptors of actively used maps (e.g.,
those in ctx->maps[i]), it could cause their reference count to drop to zero
prematurely. When the context is subsequently destroyed, the kernel drops
references again:

drivers/misc/fastrpc.c:fastrpc_context_free() {
    ...
    for (i = 0; i < ctx->nbufs; i++)
        fastrpc_map_put(ctx->maps[i]);
    ...
}

Could this lead to memory corruption when ctx->maps[i] is freed twice?

[Severity: Critical]
This is a pre-existing issue, but does this code allow arbitrary kernel memory
disclosure via untrusted rpra pointers?

The rpra array resides within ctx->buf->virt, a DMA-mapped buffer accessible
by the DSP. In fastrpc_put_args(), the kernel blindly reads the source pointer
and length directly from this shared memory:

drivers/misc/fastrpc.c:fastrpc_put_args() {
    ...
            void *src = (void *)(uintptr_t)rpra[i].buf.pv;
            void *dst = (void *)(uintptr_t)ctx->args[i].ptr;
            u64 len = rpra[i].buf.len;

            if (!kernel) {
                if (copy_to_user((void __user *)dst, src, len)) {
    ...
}

If a compromised DSP manipulates rpra[i].buf.pv and rpra[i].buf.len to point
to arbitrary kernel addresses, will the kernel pass these directly to
copy_to_user(), leaking sensitive data to userspace?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260713052236.3033744-1-ekansh.gupta@oss.qualcomm.com?part=1

  reply	other threads:[~2026-07-13  5:34 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-13  5:22 [PATCH v13 0/4] misc: fastrpc: Add polling mode support Ekansh Gupta
2026-07-13  5:22 ` [PATCH v13 1/4] misc: fastrpc: Move fdlist to invoke context structure Ekansh Gupta
2026-07-13  5:34   ` sashiko-bot [this message]
2026-07-13  5:22 ` [PATCH v13 2/4] misc: fastrpc: Replace hardcoded ctxid mask with GENMASK Ekansh Gupta
2026-07-13  5:37   ` sashiko-bot
2026-07-13  5:22 ` [PATCH v13 3/4] misc: fastrpc: Expand context ID mask for DSP polling mode support Ekansh Gupta
2026-07-13  5:37   ` sashiko-bot
2026-07-13  5:22 ` [PATCH v13 4/4] misc: fastrpc: Add polling mode support for fastRPC driver Ekansh Gupta
2026-07-13  5:38   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713053448.CE5501F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=ekansh.gupta@oss.qualcomm.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox