[PATCH 3/3] misc: fastrpc: protect interrupted mmap cleanup
From: Yousef Alhouseen
Date: Thu Jun 25 2026 - 04:58:49 EST
The interrupted invoke path walks and moves fl->mmaps without holding
fl->lock, racing concurrent mmap and munmap operations that use the same
list. Move the buffers while holding the user lock and use list_del_init()
so later cleanup can safely identify moved nodes.
Buffers moved to the channel interrupted list are also discarded on rpmsg
removal without freeing their coherent DMA allocations. Free them during
channel removal so interrupted invokes cannot permanently leak DMA buffers.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/fastrpc.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 50f90e17e..608878052 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1395,10 +1395,12 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
bail:
if (err == -ERESTARTSYS) {
+ spin_lock(&fl->lock);
list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
- list_del(&buf->node);
+ list_del_init(&buf->node);
list_add_tail(&buf->node, &fl->cctx->invoke_interrupted_mmaps);
}
+ spin_unlock(&fl->lock);
}
/* We are done with this compute context */
@@ -2628,8 +2630,10 @@ static void fastrpc_rpmsg_remove(struct rpmsg_device *rpdev)
if (cctx->secure_fdevice)
misc_deregister(&cctx->secure_fdevice->miscdev);
- list_for_each_entry_safe(buf, b, &cctx->invoke_interrupted_mmaps, node)
- list_del(&buf->node);
+ list_for_each_entry_safe(buf, b, &cctx->invoke_interrupted_mmaps, node) {
+ list_del_init(&buf->node);
+ fastrpc_buf_free(buf);
+ }
if (cctx->remote_heap)
fastrpc_buf_free(cctx->remote_heap);
--
2.54.0