misc: fastrpc: Fix incorrect DMA mapping unmap request

Scatterlist table is obtained during map create request and the same
table is used for DMA mapping unmap. In case there is any failure
while getting the sg_table, ERR_PTR is returned instead of sg_table.

When the map is getting freed, there is only a non-NULL check of
sg_table which will also be true in case failure was returned instead
of sg_table. This would result in improper unmap request. Add proper
check before setting map table to avoid bad unmap request.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <stable@kernel.org>
Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20230811115643.38578-3-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 7d8818a..0b376d9 100644 (file)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -757,6 +757,7 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
 {
        struct fastrpc_session_ctx *sess = fl->sctx;
        struct fastrpc_map *map = NULL;
+       struct sg_table *table;
        int err = 0;
 
        if (!fastrpc_map_lookup(fl, fd, ppmap, true))
@@ -784,11 +785,12 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
                goto attach_err;
        }
 
-       map->table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
-       if (IS_ERR(map->table)) {
-               err = PTR_ERR(map->table);
+       table = dma_buf_map_attachment_unlocked(map->attach, DMA_BIDIRECTIONAL);
+       if (IS_ERR(table)) {
+               err = PTR_ERR(table);
                goto map_err;
        }
+       map->table = table;
 
        if (attr & FASTRPC_ATTR_SECUREMAP) {
                map->phys = sg_phys(map->table->sgl);