user/sven/linux.git/drivers/misc/fastrpc.c, branch v5.4.90

misc: fastrpc: fix potential fastrpc_invoke_ctx leak

2020-06-24T15:50:13Z

[ Upstream commit 74003385cf716f1b88cc7753ca282f5493f204a2 ] fastrpc_invoke_ctx can have refcount of 2 in error path where rpmsg_send() fails to send invoke message. decrement the refcount properly in the error path to fix this leak. This also fixes below static checker warning: drivers/misc/fastrpc.c:990 fastrpc_internal_invoke() warn: 'ctx->refcount.refcount.ref.counter' not decremented on lines: 990. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context") Reported-by: Dan Carpenter Signed-off-by: Srinivas Kandagatla Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20200512110930.2550-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

misc: fastrpc: Fix an incomplete memory release in fastrpc_rpmsg_probe()

2020-06-24T15:50:13Z

[ Upstream commit 0978de9fc7335c73934ab8fac189fb4cb3f23191 ] fastrpc_channel_ctx is not freed if misc_register() fails, this would lead to a memory leak. Fix this leak by adding kfree in misc_register() error path. Fixes: 278d56f970ae ("misc: fastrpc: Reference count channel context") Signed-off-by: Srinivas Kandagatla Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20200511162722.2552-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

misc: fastrpc: fix memory leak from miscdev->name

2019-12-31T15:43:58Z

[ Upstream commit 2d10d2d170723e9278282458a6704552dcb77eac ] Fix a memory leak in miscdev->name by using devm_variant Orignally reported by kmemleak: [] kmemleak_alloc+0x50/0x84 [] __kmalloc_track_caller+0xe8/0x168 [] kvasprintf+0x78/0x100 [] kasprintf+0x50/0x74 [] fastrpc_rpmsg_probe+0xd8/0x20c [] rpmsg_dev_probe+0xa8/0x148 [] really_probe+0x208/0x248 [] driver_probe_device+0x98/0xc0 [] __device_attach_driver+0x9c/0xac [] bus_for_each_drv+0x60/0x8c [] __device_attach+0x8c/0x100 [] device_initial_probe+0x20/0x28 [] bus_probe_device+0x34/0x7c [] device_add+0x420/0x498 [] device_register+0x24/0x2c Signed-off-by: Srinivas Kandagatla Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20191009144123.24583-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach

2019-10-04T16:22:14Z

In fastrpc_dma_buf_attach if dma_get_sgtable fails the allocated memory for a should be released. Signed-off-by: Navid Emamdoost Link: https://lore.kernel.org/r/20190925152742.16258-1-navid.emamdoost@gmail.com Signed-off-by: Greg Kroah-Hartman

misc: fastrpc: free dma buf scatter list

2019-09-04T11:35:11Z

dma buf scatter list is never freed, free it! Orignally detected by kmemleak: backtrace: [] kmemleak_alloc+0x50/0x84 [] sg_kmalloc+0x38/0x60 [] __sg_alloc_table+0x60/0x110 [] sg_alloc_table+0x28/0x58 [] __sg_alloc_table_from_pages+0xc0/0x1ac [] sg_alloc_table_from_pages+0x14/0x1c [] __iommu_get_sgtable+0x5c/0x8c [] fastrpc_dma_buf_attach+0x84/0xf8 [] dma_buf_attach+0x70/0xc8 [] fastrpc_map_create+0xf8/0x1e8 [] fastrpc_device_ioctl+0x508/0x900 [] compat_SyS_ioctl+0x128/0x200 [] el0_svc_naked+0x34/0x38 [] 0xffffffffffffffff Reported-by: Mayank Chopra Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20190829092926.12037-6-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman

misc: fastrpc: fix double refcounting on dmabuf

2019-09-04T11:35:11Z

dma buf refcount has to be done by the driver which is going to use the fd. This driver already does refcount on the dmabuf fd if its actively using it but also does an additional refcounting via extra ioctl. This additional refcount can lead to memory leak in cases where the applications fail to call the ioctl to decrement the refcount. So remove this extra refcount in the ioctl More info of dma buf usage at drivers/dma-buf/dma-buf.c Reported-by: Mayank Chopra Reported-by: Jorge Ramirez-Ortiz Tested-by: Jorge Ramirez-Ortiz Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20190829092926.12037-5-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman

misc: fastrpc: remove unused definition

2019-09-04T11:35:11Z

Remove unused INIT_MEMLEN_MAX define. Signed-off-by: Jorge Ramirez-Ortiz Signed-off-by: Abhinav Asati Signed-off-by: Vamsi Singamsetty Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20190829092926.12037-4-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman

misc: fastrpc: Don't reference rpmsg_device after remove

2019-09-04T11:35:10Z

As fastrpc_rpmsg_remove() returns the rpdev of the channel context is no longer a valid object, so ensure to update the channel context to no longer reference the old object and guard in the invoke code path against dereferencing it. Signed-off-by: Bjorn Andersson Signed-off-by: Mayank Chopra Signed-off-by: Abhinav Asati Signed-off-by: Vamsi Singamsetty Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20190829092926.12037-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman

misc: fastrpc: Reference count channel context

2019-09-04T11:35:10Z

The channel context is referenced from the fastrpc user and might as user space holds the file descriptor open outlive the fastrpc device, which is removed when the remote processor is shutting down. Reference count the channel context in order to retain this object until all references has been relinquished. Signed-off-by: Bjorn Andersson Signed-off-by: Mayank Chopra Signed-off-by: Abhinav Asati Signed-off-by: Vamsi Singamsetty Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20190829092926.12037-2-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman

misc: fastrpc: fix memory leak when out of memory

2019-07-25T12:46:17Z

Do the necessary house-keeping if the allocated memory wont be used Signed-off-by: Jorge Ramirez-Ortiz Link: https://lore.kernel.org/r/20190705081303.14170-1-jorge.ramirez-ortiz@linaro.org Signed-off-by: Greg Kroah-Hartman