misc: fastrpc: avoid duplicate DMA mappings in fastrpc_create_maps()

[Jianping-Li]

fastrpc_create_maps() performs map lookup only for buffer arguments (i < ctx->nbufs) via fastrpc_map_create(). For
arguments beyond this range, no lookup is performed, which can result in duplicate DMA mappings for the same file descriptor.

Additionally, if the same file descriptor is passed multiple times within a single invocation, performing lookups with
reference counting would increment the reference multiple times, while fastrpc_put_args() would release it only once,
leading to an imbalanced reference count.

Fix this by allowing fastrpc_map_create() to control whether the lookup should take a reference. For arguments beyond
ctx->nbufs, the lookup is performed without taking a reference, ensuring that existing mappings are reused without introducing duplicate DMA mappings or reference count imbalance.

CRs-Fixed: 4490320

[qswat-orbit-external]

Merge Check Failed: No Change Task Found

No associated change tasks found for CR 4490320 on any of the following entities:

Entities:

• kernel.qli.2.0

CR: 4490320

Please ensure the CR has a change task associated with at least one of the entities for this branch.

[qswat-orbit-external]

Merge Check Failed: No Change Task Found

No associated change tasks found for CR 4490320 on any of the following entities:

Entities:

• kernel.qli.2.0

CR: 4490320

Please ensure the CR has a change task associated with at least one of the entities for this branch.

[qlijarvis]

PR #774 — validate-patch

PR: #774

Verdict	Issues	Detailed Report
⚠️	2	Full report

Final Summary

1. Lore link present: Yes — both commits include lore.kernel.org links in Link: tags
2. Lore link matches PR commits: Cannot verify (network restricted) — links are present and formatted correctly, dates align with commit dates suggesting recent/concurrent submission
3. Upstream patch status:
   • Commit 1: Marked BACKPORT, suggests already upstream but no SHA provided
   • Commit 2: Marked FROMLIST, indicates under review on mailing list (dated same day as analysis: 2026-06-25)
4. PR present in qcom-next: Not checked — no kernel tree access per constraints

Verdict: ⚠️ — click to expand

🔍 Patch Validation

PR: #774
Upstream commits:

• Commit 1: https://lore.kernel.org/all/20260530204528.116920-5-srini@kernel.org/
• Commit 2: https://lore.kernel.org/all/20260625080832.17477-1-jianping.li@oss.qualcomm.com/
  Verdict: ⚠️ PARTIAL

---

Commit 1: BACKPORT: misc: fastrpc: fix use-after-free race in fastrpc_map_create

Commit Message

Check	Status	Note
Subject matches upstream	⚠️	Added "BACKPORT:" prefix; core subject preserved
Body preserves rationale	✅	Full rationale preserved verbatim
Fixes tag present/correct	✅	Fixes: 10df039834f8 present
Authorship preserved	✅	Original author Zhenghang Xiao preserved
Backport note (if applicable)	⚠️	BACKPORT prefix present but no explicit backport context in body

Diff

File	Status	Notes
drivers/misc/fastrpc.c	✅	Changes appear structurally sound: adds take_ref parameter to fastrpc_map_lookup, updates all call sites

Issues

• BACKPORT prefix without context: The commit uses BACKPORT: prefix but does not explain which kernel version this is being backported to, or why backporting is necessary. Standard kernel practice for backports includes a note like "[ Upstream commit ]" or explanation of adaptation.
• Lore link date anomaly: The lore link shows date 20260530 (May 30, 2026) but the commit date is also May 30, 2026. This suggests the patch may be very recent or the dates are future-dated (current date context shows June 25, 2026).

Verdict

Structurally correct but missing backport context. Should add upstream commit SHA or explain adaptation if this is a backport.

---

Commit 2: FROMLIST: misc: fastrpc: avoid duplicate DMA mappings in fastrpc_create_maps()

Commit Message

Check	Status	Note
Subject matches upstream	⚠️	Added "FROMLIST:" prefix; core subject preserved
Body preserves rationale	✅	Detailed explanation of the problem and fix
Fixes tag present/correct	⚠️	Fixes: 10df039834f84 has extra digit (should be 12-char SHA)
Authorship preserved	✅	Author Jianping Li with @oss.qualcomm.com email
Backport note (if applicable)	N/A	FROMLIST indicates pending upstream review

Diff

File	Status	Notes
drivers/misc/fastrpc.c	✅	Extends commit 1's take_ref parameter to fastrpc_map_create, updates all call sites consistently

Issues

• Fixes tag SHA length: The Fixes tag shows 10df039834f84 (13 characters) instead of the standard 12-character format. Should be 10df039834f8.
• Cc tag format: Uses Cc: stable@kernel.org instead of Cc: stable@vger.kernel.org (commit 1 uses the correct format).
• Lore link date: Shows 20260625 (June 25, 2026) which matches the commit date, suggesting this is a very recent or same-day submission.
• Dependency on commit 1: This commit builds directly on commit 1's changes (extends the take_ref parameter). The two commits form a logical series.

Verdict

Functionally correct but has minor tag formatting issues (Fixes SHA length, stable email address).

---

Overall Assessment

Issues Summary

1. Commit 1 (BACKPORT):

   • Missing backport context (no upstream SHA reference or adaptation notes)
   • BACKPORT prefix suggests this is a backport, but no explanation of what it's backported from

2. Commit 2 (FROMLIST):

   • Fixes tag has 13-character SHA instead of 12
   • Cc: stable email uses @kernel.org instead of @vger.kernel.org

3. Series dependency:

   • Commit 2 depends on commit 1's changes (both modify fastrpc_map_lookup and fastrpc_map_create)
   • The series is logically coherent and addresses related race conditions

Verdict

⚠️ PARTIAL PASS — The patches are functionally correct and address real use-after-free and duplicate mapping issues. However, they have metadata issues:

• Commit 1 needs backport context or upstream SHA
• Commit 2 needs Fixes tag correction (12-char SHA) and stable email correction

Recommendations

1. For commit 1: Either remove "BACKPORT:" prefix if this is the original submission, or add proper backport context like:

   [ Upstream commit <12-char-sha> ]
   

   or explain any adaptations made during backport.

2. For commit 2: Fix the Fixes tag:

   - Fixes: 10df039834f84 ("misc: fastrpc: Skip reference for DMA handles")
   + Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles")
   

   And correct the stable Cc:

   - Cc: stable@kernel.org
   + Cc: stable@vger.kernel.org
   

---

Final Summary

1. Lore link present: Yes — both commits include lore.kernel.org links in Link: tags
2. Lore link matches PR commits: Cannot verify (network restricted) — links are present and formatted correctly, dates align with commit dates suggesting recent/concurrent submission
3. Upstream patch status:
   • Commit 1: Marked BACKPORT, suggests already upstream but no SHA provided
   • Commit 2: Marked FROMLIST, indicates under review on mailing list (dated same day as analysis: 2026-06-25)
4. PR present in qcom-next: Not checked — no kernel tree access per constraints

[qlijarvis]

PR #774 — checker-log-analyzer

PR: #774
Checker run: https://github.com/qualcomm-linux/kernel-config/actions/runs/28158895933

Checker	Result	Summary
Checker	Result	Summary
checkpatch	❌	Alignment issue in commit 2/2
dt-binding-check	⏭️	No DT binding changes
dtb-check	⏭️	No devicetree changes
sparse-check	✅	Passed
check-uapi-headers	✅	No UAPI changes
check-patch-compliance	❌	Commit 1/2 differs from upstream link
tag-check	N/A	Not applicable for this branch
qcom-next-check	✅	BACKPORT/FROMLIST prefixes present

Detailed report: Full report

Checker analysis — click to expand

🤖 CI Checker Analysis (checker-log-analyzer)

PR: #774 - misc: fastrpc: fix use-after-free and duplicate DMA mappings
Source: https://github.com/qualcomm-linux/kernel-config/actions/runs/28158895933

Checker	Result	Summary
checkpatch	❌	Alignment issue in commit 2/2
dt-binding-check	⏭️	No DT binding changes
dtb-check	⏭️	No devicetree changes
sparse-check	✅	Passed
check-uapi-headers	✅	No UAPI changes
check-patch-compliance	❌	Commit 1/2 differs from upstream link
tag-check	N/A	Not applicable for this branch
qcom-next-check	✅	BACKPORT/FROMLIST prefixes present

---

❌ checkpatch

Root cause: Alignment mismatch in drivers/misc/fastrpc.c:1050 - continuation line not aligned with opening parenthesis

Failure details:

CHECK: Alignment should match open parenthesis
#70: FILE: drivers/misc/fastrpc.c:1050:
+		err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, ctx->args[i].length,
+			 ctx->args[i].attr, &ctx->maps[i], take_ref);

eeca32ce98cadac9e74f58ac194328f993bea3f3 total: 0 errors, 0 warnings, 1 checks, 57 lines checked

Fix: Align the second line with the opening parenthesis. Change:

err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, ctx->args[i].length,
			 ctx->args[i].attr, &ctx->maps[i], take_ref);

To:

err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, ctx->args[i].length,
				 ctx->args[i].attr, &ctx->maps[i], take_ref);

(Add one more tab to align with the opening parenthesis after fastrpc_map_create()

Reproduce locally:

./scripts/checkpatch.pl --strict --summary-file --ignore FILE_PATH_CHANGES --git c9744addfb04eec214121e1fc11040e828576da4..eeca32ce98cadac9e74f58ac194328f993bea3f3

---

❌ check-patch-compliance

Root cause: Commit 9a36fb26a802 (BACKPORT) differs from the upstream patch referenced in the Link tag

Failure details:

Checking commit: BACKPORT: misc: fastrpc: fix use-after-free race in fastrpc_map_create
Change is different from the one mentioned in Link

The checker detected that the patch content in commit 1/2 does not match the upstream patch at:
https://lore.kernel.org/all/20260530204528.116920-5-srini@kernel.org/

Fix:

1. Verify the upstream patch content matches your backport exactly
2. If intentional changes were made for backporting (e.g., context differences, dependency adjustments), document them in the commit message with an explanation like:

   [ Upstream commit <sha> ]
   
   Context adjustment: <explain any differences>
   

3. If the patch should match exactly, fetch the correct version from lore and reapply:

   b4 am https://lore.kernel.org/all/20260530204528.116920-5-srini@kernel.org/

Reproduce locally:

bash ../kernel-checkers/check-patch-compliance.sh --kernel-src . \
  --base c9744addfb04eec214121e1fc11040e828576da4 --head eeca32ce98cadac9e74f58ac194328f993bea3f3

---

Verdict

2 blockers must be fixed before merge:

1. checkpatch alignment issue - Fix indentation in commit eeca32c
2. patch compliance mismatch - Verify commit 9a36fb2 matches upstream or document intentional changes