[PATCH] misc: fastrpc: take fl->lock when moving mmaps on interrupted invoke

Next message: Jimmy Hu (xWF): "Re: [PATCH] usb: gadget: udc: Fix NULL pointer dereference in gadget_match_driver"
Previous message: Chancel Liu (OSS): "RE: [PATCH] ASoC: cs42xx8: Add SPI bus support for CS42448/CS42888 codec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Tue Jun 02 2026 - 01:33:11 EST

When an invoke is interrupted by a signal,
wait_for_completion_interruptible() returns -ERESTARTSYS and
fastrpc_internal_invoke() moves every buffer from fl->mmaps onto
cctx->invoke_interrupted_mmaps. This list_del()/list_add_tail() walk
runs without holding fl->lock, the lock that serialises fl->mmaps in
fastrpc_req_mmap() and fastrpc_req_munmap() everywhere else.

Take fl->lock around the move, matching every other fl->mmaps accessor.

Fixes: 76e8e4ace1ed ("misc: fastrpc: Safekeep mmaps on interrupted invoke")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/misc/fastrpc.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 1080f9acf70a..1601c9667d0b 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1259,10 +1259,12 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
}

if (err == -ERESTARTSYS) {
+ spin_lock(&fl->lock);
list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
list_del(&buf->node);
list_add_tail(&buf->node, &fl->cctx->invoke_interrupted_mmaps);
}
+ spin_unlock(&fl->lock);
}

if (err)

---
base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
change-id: 20260602-fixes-ba3a01f66f34

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>