[PATCH 2/3] misc: fastrpc: fix map cleanup paths
From: Yousef Alhouseen
Date: Thu Jun 25 2026 - 04:58:28 EST
fastrpc_create_maps() can attach dma-bufs for every scalar argument,
including handle arguments beyond the input and output buffer count.
fastrpc_context_free() only dropped references up to nbufs, leaving
handle maps attached after invoke cleanup.
fastrpc_map_attach() also falls through to fastrpc_map_put() after
manually detaching and putting the dma-buf on late errors. Leave the map
object in a state that matches the resources still owned by the release
path so the attachment and dma-buf are not released twice.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/fastrpc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 8992b5c0c..50f90e17e 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -580,7 +580,7 @@ static void fastrpc_context_free(struct kref *ref)
cctx = ctx->cctx;
fl = ctx->fl;
- for (i = 0; i < ctx->nbufs; i++)
+ for (i = 0; i < ctx->nscalars; i++)
fastrpc_map_put(ctx->maps[i]);
if (ctx->buf)
@@ -917,7 +917,7 @@ static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
if (IS_ERR(table)) {
err = PTR_ERR(table);
- goto map_err;
+ goto detach_err;
}
map->table = table;
@@ -966,9 +966,15 @@ static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
return 0;
map_err:
+ dma_buf_unmap_attachment_unlocked(map->attach, map->table,
+ DMA_BIDIRECTIONAL);
+ map->table = NULL;
+detach_err:
dma_buf_detach(map->buf, map->attach);
+ map->attach = NULL;
attach_err:
dma_buf_put(map->buf);
+ map->buf = NULL;
get_err:
fastrpc_map_put(map);
--
2.54.0