fastrpc_create_maps() can attach dma-bufs for every scalar argument, including handle arguments beyond the input and output buffer count. fastrpc_context_free() only dropped references up to nbufs, leaving handle maps attached after invoke cleanup.
fastrpc_map_attach() also falls through to fastrpc_map_put() after manually detaching and putting the dma-buf on late errors. Leave the map object in a state that matches the resources still owned by the release path so the attachment and dma-buf are not released twice. Signed-off-by: Yousef Alhouseen <[email protected]> --- drivers/misc/fastrpc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 8992b5c0c..50f90e17e 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -580,7 +580,7 @@ static void fastrpc_context_free(struct kref *ref) cctx = ctx->cctx; fl = ctx->fl; - for (i = 0; i < ctx->nbufs; i++) + for (i = 0; i < ctx->nscalars; i++) fastrpc_map_put(ctx->maps[i]); if (ctx->buf) @@ -917,7 +917,7 @@ static int fastrpc_map_attach(struct fastrpc_user *fl, int fd, table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL); if (IS_ERR(table)) { err = PTR_ERR(table); - goto map_err; + goto detach_err; } map->table = table; @@ -966,9 +966,15 @@ static int fastrpc_map_attach(struct fastrpc_user *fl, int fd, return 0; map_err: + dma_buf_unmap_attachment_unlocked(map->attach, map->table, + DMA_BIDIRECTIONAL); + map->table = NULL; +detach_err: dma_buf_detach(map->buf, map->attach); + map->attach = NULL; attach_err: dma_buf_put(map->buf); + map->buf = NULL; get_err: fastrpc_map_put(map); -- 2.54.0
