[PATCH] misc: fastrpc: initialize invoke refcount before publish

Next message: Yousef Alhouseen: "[PATCH] misc: fastrpc: reject oversized inline invoke payloads"
Previous message: Tejun Heo: "Re: [PATCH v2] sched_ext: Avoid flooding the log with deprecation warnings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Wed Jun 24 2026 - 14:55:34 EST

fastrpc_context_alloc() adds a new invoke context to the pending list
and the channel IDR before initializing its refcount.

A racing DSP response can find that context by ID and drop a reference
before kref_init() has run. Initialize the refcount before publishing the
context.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/fastrpc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 6ced210ca..42fc128e1 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -703,6 +703,7 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc(
ctx->cctx = cctx;
init_completion(&ctx->work);
INIT_WORK(&ctx->put_work, fastrpc_context_put_wq);
+ kref_init(&ctx->refcount);

spin_lock(&user->lock);
list_add_tail(&ctx->node, &user->pending);
@@ -718,8 +719,6 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc(
ctx->ctxid = ret << 4;
spin_unlock_irqrestore(&cctx->lock, flags);

- kref_init(&ctx->refcount);
-
return ctx;
err_idr:
spin_lock(&user->lock);
--
2.54.0