FROMLIST: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

[quic-anane]

Changes in this PR
This PR contains two commits:

Revert previous patch

Reverts the earlier fastrpc_user reference counting change.
This is done to avoid carrying forward a partially updated
implementation and to ensure a clean base.

Apply latest patch (v4) from mailing list

Applies the full, updated version of the fix.
Incorporates all revisions from earlier versions.
Ensures correct ordering of:

fastrpc_user_put()
fastrpc_channel_ctx_put()

Consolidates teardown logic into fastrpc_user_free().
Fixes use-after-free scenarios in workqueue and error paths.

CRs-Fixed: 4502232

[qswat-orbit-external]

Merge Check Failed: No Component Found

Configuration Error: No component found for branch 'tech/mm/fastrpc'.

There is no component associated with the provided branch in Polaris. Please verify the branch configuration.

Branch: tech/mm/fastrpc

[qlijarvis]

🔨 Build Failure Analysis — PR #1175

PR: #1175
Build run: https://github.com/qualcomm-linux/kernel-config/actions/runs/26442428226

#	Error	File:Line	PR-introduced?	Root Cause
1	Merge conflict during integration	drivers/misc/fastrpc.c	No	Baseline branch has diverged with conflicting changes in the same code region. The PR reverts and re-applies reference counting logic, but the baseline already contains overlapping modifications.

Verdict

This is not a compilation error — it's a merge conflict during CI integration. The PR code is syntactically correct but conflicts with changes already present in the baseline branch.

📎 Detailed analysis: Full report

[qlijarvis]

PR #1175 — validate-patch

PR: #1175

Verdict	Issues	Detailed Report
✅	0	Full report

Final Summary

1. Lore link present: Yes — commit 2/2 has Link: https://lore.kernel.org/all/20260518203507.3754994-1-anandu.e@oss.qualcomm.com/; commit 1/2 is a revert (no lore link expected)

2. Lore link matches PR commits: ⚠️ Cannot verify byte-level match — lore.kernel.org unreachable due to network restrictions. However, commit structure, authorship, tags, and logical content progression from v1 to v4 are all correct.

3. Upstream patch status: ⏳ Decision Pending — posted 2026-05-18 (8 days ago); likely still under community review. Cannot verify acceptance/rejection due to network restrictions.

4. PR present in qcom-next: No — v4 revision not yet in qcom-next. The v1 revision (commit 94b182f) is present and will be correctly reverted by this PR.

---

Verdict: ✅ — click to expand

🔍 Patch Validation

PR: #1175
Commits: 2 commits (1 revert + 1 FROMLIST patch)

---

Commit 1/2: Revert "FROMLIST: misc: fastrpc: Add reference counting for fastrpc_user structure"

Upstream commit: N/A (revert of internal commit 94b182f)
Verdict: ✅ PASS

Commit Message

Check	Status	Note
Subject matches upstream	N/A	Revert commit — no upstream source
Body preserves rationale	✅	Clear explanation: v1 → v4 upgrade
Fixes tag present/correct	N/A	Not applicable for revert
Authorship preserved	✅	Same author as original commit
Backport note	N/A	Not a backport

Diff

File	Status	Notes
drivers/misc/fastrpc.c	✅	Correctly reverts 94b182f (31 deletions, 4 insertions — inverse of original 31 insertions, 4 deletions)

Verdict

✅ Revert is correct. The diff accurately reverses commit 94b182f, which added a minimal v1 implementation of fastrpc_user reference counting. The commit message clearly explains the rationale: v1 was incomplete and v4 (applied in commit 2/2) includes additional fixes.

---

Commit 2/2: FROMLIST: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

Upstream commit: https://lore.kernel.org/all/20260518203507.3754994-1-anandu.e@oss.qualcomm.com/
Verdict: ⚠️ PARTIAL (network-limited validation)

Commit Message

Check	Status	Note
Subject matches upstream	⚠️	Cannot verify — lore.kernel.org unreachable due to network restrictions
Body preserves rationale	✅	Comprehensive description of race condition, crash trace, and fix
Fixes tag present/correct	✅	Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
Authorship preserved	✅	From: Anandu Krishnan E <anandu.e@oss.qualcomm.com> — consistent with lore link author
Backport note	N/A	FROMLIST prefix — not yet merged upstream
Co-developed-by	✅	Not present (correct — single author)
Cc: stable tag	✅	Present — appropriate for use-after-free fix

Diff

File	Status	Notes
drivers/misc/fastrpc.c	✅	Adds comprehensive fastrpc_user_free() with cleanup of init_mem, pending contexts, maps, and mmaps — significantly more complete than v1 (commit 94b182f)

Analysis

Comparison with v1 (commit 94b182f in qcom-next):

The v1 implementation (reverted in commit 1/2) had a minimal fastrpc_user_free():

static void fastrpc_user_free(struct kref *ref)
{
    struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
    fastrpc_channel_ctx_put(fl->cctx);
    mutex_destroy(&fl->mutex);
    kfree(fl);
}

The v4 implementation (this commit) adds comprehensive teardown:

static void fastrpc_user_free(struct kref *ref)
{
    struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
    struct fastrpc_invoke_ctx *ctx, *n;
    struct fastrpc_map *map, *m;
    struct fastrpc_buf *buf, *b;

    if (fl->init_mem)
        fastrpc_buf_free(fl->init_mem);

    list_for_each_entry_safe(ctx, n, &fl->pending, node) {
        list_del(&ctx->node);
        fastrpc_context_put(ctx);
    }

    list_for_each_entry_safe(map, m, &fl->maps, node)
        fastrpc_map_put(map);

    list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
        list_del(&buf->node);
        fastrpc_buf_free(buf);
    }

    fastrpc_channel_ctx_put(fl->cctx);
    mutex_destroy(&fl->mutex);
    kfree(fl);
}

Key improvements in v4:

1. Frees init_mem buffer
2. Cleans up all pending invoke contexts
3. Releases all memory maps
4. Frees all mmapped buffers
5. Moves all teardown logic from fastrpc_device_release() into the kref callback

This ensures proper cleanup regardless of whether the user structure is freed at device close or after the last in-flight context completes.

Issues

None identified. The commit message accurately describes the race condition, provides a crash trace, explains the fix, and includes proper tags (Fixes, Cc: stable, Link, Signed-off-by).

Verdict

✅ Commit structure and content are correct. The FROMLIST prefix is appropriate for a patch posted to the mailing list but not yet merged. The v4 revision is a significant improvement over v1, justifying the revert-and-reapply approach.

⚠️ Network limitation: Cannot fetch the lore patch to perform byte-level diff comparison due to network restrictions. However, based on:

• Consistent authorship and email in Link tag
• Comprehensive commit message matching typical upstream quality
• Logical progression from v1 to v4
• Proper use of FROMLIST prefix

The patch appears to be a faithful representation of the upstream posting.

---

Upstream Patch Status

Commit	Community Verdict
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context	⏳ Decision Pending — posted 2026-05-18; cannot verify acceptance due to network restrictions

Note: The lore link (https://lore.kernel.org/all/20260518203507.3754994-1-anandu.e@oss.qualcomm.com/) indicates this is a recent posting (May 18, 2026). Given the date is only 8 days before this review (May 26, 2026), the patch is likely still under community review.

---

qcom-next Presence

Commit	Status
Revert "FROMLIST: misc: fastrpc: Add reference counting..."	⚠️ Not in qcom-next — reverts commit 94b182f which IS present
FROMLIST: misc: fastrpc: fix use-after-free...	⚠️ Not in qcom-next — v4 revision not yet applied

Context: Commit 94b182f (v1) is currently in qcom-next. This PR reverts it and applies v4, which is the correct approach for upgrading to a more complete upstream revision.

---

Final Summary

1. Lore link present: Yes — commit 2/2 has Link: https://lore.kernel.org/all/20260518203507.3754994-1-anandu.e@oss.qualcomm.com/; commit 1/2 is a revert (no lore link expected)

2. Lore link matches PR commits: ⚠️ Cannot verify byte-level match — lore.kernel.org unreachable due to network restrictions. However, commit structure, authorship, tags, and logical content progression from v1 to v4 are all correct.

3. Upstream patch status: ⏳ Decision Pending — posted 2026-05-18 (8 days ago); likely still under community review. Cannot verify acceptance/rejection due to network restrictions.

4. PR present in qcom-next: No — v4 revision not yet in qcom-next. The v1 revision (commit 94b182f) is present and will be correctly reverted by this PR.

---

Recommendation

✅ Approve with confidence.

Rationale:

• The revert (commit 1/2) is mathematically correct (inverse diff of 94b182f)
• The v4 patch (commit 2/2) is significantly more complete than v1, addressing the full teardown sequence
• Commit message quality is high: detailed race condition description, crash trace, comprehensive fix explanation
• All required tags present: Fixes, Cc: stable, Link, Signed-off-by
• FROMLIST prefix is appropriate for a patch posted but not yet merged
• Authorship is consistent

Caveat: Network restrictions prevented byte-level verification against the lore source. If strict policy requires lore verification, re-run this validation in an environment with lore.kernel.org access. However, all available evidence (commit structure, authorship, logical content, diff quality) indicates this is a faithful representation of the upstream v4 posting.

[qlijarvis]

PR #1175 — checker-log-analyzer

PR: #1175
Checker run: https://github.com/qualcomm-linux/kernel-config/actions/runs/26442428501

Checker	Result	Summary
Checker	Result	Summary
checkpatch	❌	Merge conflict - unable to run
dt-binding-check	❌	Merge conflict - unable to run
dtb-check	❌	Merge conflict - unable to run
sparse-check	❌	Merge conflict - unable to run
check-uapi-headers	❌	Merge conflict - unable to run
check-patch-compliance	❌	Merge conflict - unable to run
tag-check	❌	Missing prefix on Revert commit

Detailed report: Full report

Checker analysis — click to expand

🤖 CI Checker Analysis (checker-log-analyzer)

PR: #1175 - FROMLIST: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
Source: https://github.com/qualcomm-linux/kernel-config/actions/runs/26442428501

Checker	Result	Summary
checkpatch	❌	Merge conflict - unable to run
dt-binding-check	❌	Merge conflict - unable to run
dtb-check	❌	Merge conflict - unable to run
sparse-check	❌	Merge conflict - unable to run
check-uapi-headers	❌	Merge conflict - unable to run
check-patch-compliance	❌	Merge conflict - unable to run
tag-check	❌	Missing prefix on Revert commit

---

❌ CI Infrastructure — Merge Conflict

Root cause: The PR cannot be merged cleanly with the baseline branch due to conflicting changes in drivers/misc/fastrpc.c.

Failure details:

Auto-merging drivers/misc/fastrpc.c
CONFLICT (content): Merge conflict in drivers/misc/fastrpc.c
Automatic merge failed; fix conflicts and then commit the result.
Merge failed, manual merge
##[error]Process completed with exit code 1.

Analysis:
All six checker jobs (checkpatch, dt-binding-check, dtb-check, sparse-check, check-uapi-headers, check-patch-compliance) failed at the merge stage before any actual checker validation could run. The CI workflow attempts to merge the PR's topic branch (topic/tech/mm/fastrpc) with the baseline (df3ae9703774b70a7b7758b53498a25de9f87174), but encounters a content conflict in drivers/misc/fastrpc.c.

This PR contains:

1. A revert commit that removes reference counting changes from an earlier v1 patch
2. A new FROMLIST commit applying the v4 version of the upstream patch series

The conflict likely occurs because:

• The baseline already contains overlapping changes to fastrpc.c that conflict with the revert
• Other patches modifying the same code regions have been merged since the original v1 patch

Fix:
Rebase the PR branch on the current baseline to resolve the merge conflict:

# Fetch the latest baseline
git fetch origin

# Rebase the PR branch
git checkout tech/mm/fastrpc
git rebase df3ae9703774b70a7b7758b53498a25de9f87174

# Resolve conflicts in drivers/misc/fastrpc.c
# The revert commit may need to be adjusted or dropped if the code it's reverting
# no longer exists in the same form

# After resolving conflicts:
git add drivers/misc/fastrpc.c
git rebase --continue

# Force push the rebased branch
git push --force-with-lease

Alternative approach:
If the v1 patch being reverted is no longer present in the baseline (already replaced or removed), consider dropping the revert commit entirely and adjusting the v4 patch to apply cleanly against the current baseline.

---

❌ tag-check

Root cause: Commit 1/2 subject line starts with Revert but lacks a required prefix before the word Revert.

Failure details:

Commit 1: "Revert "FROMLIST: misc: fastrpc: Add reference counting for fastrpc_user structure""

The subject line starts with Revert without a prefix tag. According to the tag-check requirements for branches other than qcom-next or qcom-next-staging, every commit must start with one of the valid prefixes: FROMLIST:, FROMGIT:, UPSTREAM:, BACKPORT:, QCLINUX:, PENDING:, or WORKAROUND:.

For revert commits, the prefix must come before the word Revert.

Fix:
Add an appropriate prefix before Revert in the commit subject:

git rebase -i <base_sha>   # mark commit 1 as 'edit'
git commit --amend -m "FROMLIST: Revert \"FROMLIST: misc: fastrpc: Add reference counting for fastrpc_user structure\""
git rebase --continue

Choose the correct prefix based on the revert's origin:

• If the revert itself was posted to lore → FROMLIST:
• If the revert is from a maintainer tree → FROMGIT:
• If the revert is merged in Linus's tree → UPSTREAM:
• If this is a vendor-specific revert → QCLINUX:

Note: Commit 2/2 (FROMLIST: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context) already has the correct FROMLIST: prefix and passes tag-check.

---

Verdict

BLOCK MERGE — Two critical issues must be resolved:

1. Merge conflict: The PR cannot be integrated with the baseline. Rebase on df3ae9703774b70a7b7758b53498a25de9f87174 and resolve conflicts in drivers/misc/fastrpc.c. Consider whether the revert commit is still necessary if the v1 patch no longer exists in the baseline.

2. Tag-check failure: Add a prefix (FROMLIST:, UPSTREAM:, etc.) before Revert in commit 1/2's subject line.

After fixing these issues, re-push the branch to trigger a new CI run. The actual checker validations (checkpatch, sparse, etc.) could not run due to the merge conflict, so they will need to be evaluated in the next CI run.