Re: [PATCH v5 2/5] misc: fastrpc: Remove buffer from list prior to unmap operation

Next message: Ninad Naik: "[PATCH] dt-bindings: leds: bcm6358: Convert to DT schema"
Previous message: arash golgol: "Re: [PATCH 13/16] media: sun6i-isp: Add dummy params link_validate implementation"
Next in thread: Greg KH: "Re: [PATCH v5 2/5] misc: fastrpc: Remove buffer from list prior to unmap operation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jianping Li

Date: Sun May 24 2026 - 23:31:08 EST

On 5/22/2026 3:03 PM, Greg KH wrote:

On Fri, May 22, 2026 at 02:55:29PM +0800, Jianping Li wrote:

On 5/15/2026 9:36 PM, Dmitry Baryshkov wrote:

On Fri, May 15, 2026 at 08:42:14PM +0800, Jianping Li wrote:

From: Ekansh Gupta<ekansh.gupta@xxxxxxxxxxxxxxxx>

fastrpc_req_munmap_impl() is called to unmap any buffer. The buffer is
getting removed from the list after it is unmapped from DSP. This can
create potential race conditions if any other thread removes the entry
from list while unmap operation is ongoing. Remove the entry before

How can it remove the entry from the list?

Multiple threads sharing the same file descriptor may invoke unmap concurrently.

multiple threads sharing the same file descriptor is a horrible
userspace bug. If you do that, you get what you deserve :)

thanks,

greg k-h

I agree that concurrent unmap on the same buffer from multiple threads
is a userspace bug.

However, the fastrpc driver is exposed via ioctl, and any userspace
(including any random apk) can map directly and then call multiple unmap.

This patch is not intended to support incorrect userspace usage,
but to ensure that the driver remains robust against invalid or
racy inputs.

Thanks,
Jianping.