msm: camera: memmgr: Avoid TOCTOU buffer access on multiple use of same fd

static int cam_mem_util_map_hw_va(uint32_t flags,

	int32_t *mmu_hdls,

	int32_t num_hdls,

	int fd,

	int fd, struct dma_buf *dmabuf,

	dma_addr_t *hw_vaddr,

	size_t *len,

	enum cam_smmu_region_id region,

				fd,

				dir,

				hw_vaddr,

				len);

				len,

				dmabuf);

			if (rc < 0) {

				CAM_ERR(CAM_MEM,

				(dma_addr_t *)hw_vaddr,

				len,

				region,

				is_internal);

				is_internal,

				dmabuf);

			if (rc < 0) {

				CAM_ERR(CAM_MEM,

			cmd->mmu_hdls,

			cmd->num_hdl,

			fd,

			dmabuf,

			&hw_vaddr,

			&len,

			region,

			cmd->mmu_hdls,

			cmd->num_hdl,

			cmd->fd,

			dmabuf,

			&hw_vaddr,

			&len,

			CAM_SMMU_REGION_IO,

		if (cam_mem_util_unmap_hw_va(idx, region, client))

			CAM_ERR(CAM_MEM, "Failed, dmabuf=%pK",

				tbl.bufq[idx].dma_buf);

		if (client == CAM_SMMU_MAPPING_KERNEL)

			tbl.bufq[idx].dma_buf = NULL;

	}

	mutex_lock(&tbl.m_lock);

		tbl.bufq[idx].is_imported,

		tbl.bufq[idx].dma_buf);

	if (tbl.bufq[idx].dma_buf)

	dma_buf_put(tbl.bufq[idx].dma_buf);

	tbl.bufq[idx].fd = -1;

static int cam_smmu_map_buffer_and_add_to_list(int idx, int ion_fd,

	bool dis_delayed_unmap, enum dma_data_direction dma_dir,

	dma_addr_t *paddr_ptr, size_t *len_ptr,

	enum cam_smmu_region_id region_id, bool is_internal);

	enum cam_smmu_region_id region_id, bool is_internal, struct dma_buf *dmabuf);

static int cam_smmu_map_kernel_buffer_and_add_to_list(int idx,

	struct dma_buf *buf, enum dma_data_direction dma_dir,

	if (IS_ERR_OR_NULL(attach)) {

		rc = PTR_ERR(attach);

		CAM_ERR(CAM_SMMU, "Error: dma buf attach failed");

		goto err_put;

		goto err_out;

	}

	if (region_id == CAM_SMMU_REGION_SHARED) {

	dma_buf_unmap_attachment(attach, table, dma_dir);

err_detach:

	dma_buf_detach(buf, attach);

err_put:

	dma_buf_put(buf);

err_out:

	return rc;

}

static int cam_smmu_map_buffer_and_add_to_list(int idx, int ion_fd,

	bool dis_delayed_unmap, enum dma_data_direction dma_dir,

	dma_addr_t *paddr_ptr, size_t *len_ptr,

	enum cam_smmu_region_id region_id, bool is_internal)

	enum cam_smmu_region_id region_id, bool is_internal, struct dma_buf *buf)

{

	int rc = -1;

	struct cam_dma_buff_info *mapping_info = NULL;

	struct dma_buf *buf = NULL;

	/* returns the dma_buf structure related to an fd */

	buf = dma_buf_get(ion_fd);

	rc = cam_smmu_map_buffer_validate(buf, idx, dma_dir, paddr_ptr, len_ptr,

		region_id, dis_delayed_unmap, &mapping_info);

	dma_buf_detach(mapping_info->buf, mapping_info->attach);

	dma_buf_put(mapping_info->buf);

	if (iommu_cb_set.map_profile_enable) {

		CAM_GET_TIMESTAMP(ts2);

static int cam_smmu_map_stage2_buffer_and_add_to_list(int idx, int ion_fd,

		 enum dma_data_direction dma_dir, dma_addr_t *paddr_ptr,

		 size_t *len_ptr)

		 size_t *len_ptr, struct dma_buf *dmabuf)

{

	int rc = 0;

	struct dma_buf *dmabuf = NULL;

	struct dma_buf_attachment *attach = NULL;

	struct sg_table *table = NULL;

	struct cam_sec_buff_info *mapping_info;

	*paddr_ptr = (dma_addr_t)NULL;

	*len_ptr = (size_t)0;

	dmabuf = dma_buf_get(ion_fd);

	if (IS_ERR_OR_NULL((void *)(dmabuf))) {

		CAM_ERR(CAM_SMMU,

			"Error: dma buf get failed, idx=%d, ion_fd=%d",

			idx, ion_fd);

		rc = PTR_ERR(dmabuf);

		goto err_out;

	}

	/*

	 * ion_phys() is deprecated. call dma_buf_attach() and

	 * dma_buf_map_attachment() to get the buffer's physical

			"Error: dma buf attach failed, idx=%d, ion_fd=%d",

			idx, ion_fd);

		rc = PTR_ERR(attach);

		goto err_put;

		goto err_out;

	}

	attach->dma_map_attrs |= DMA_ATTR_SKIP_CPU_SYNC;

	dma_buf_unmap_attachment(attach, table, dma_dir);

err_detach:

	dma_buf_detach(dmabuf, attach);

err_put:

	dma_buf_put(dmabuf);

err_out:

	return rc;

}

int cam_smmu_map_stage2_iova(int handle,

		int ion_fd, enum cam_smmu_map_dir dir,

		dma_addr_t *paddr_ptr, size_t *len_ptr)

		dma_addr_t *paddr_ptr, size_t *len_ptr,

		struct dma_buf *dmabuf)

{

	int idx, rc;

	enum dma_data_direction dma_dir;

		goto get_addr_end;

	}

	rc = cam_smmu_map_stage2_buffer_and_add_to_list(idx, ion_fd, dma_dir,

			paddr_ptr, len_ptr);

			paddr_ptr, len_ptr, dmabuf);

	if (rc < 0) {

		CAM_ERR(CAM_SMMU,

			"Error: mapping or add list fail, idx=%d, handle=%d, fd=%d, rc=%d",

	dma_buf_unmap_attachment(mapping_info->attach,

		mapping_info->table, mapping_info->dir);

	dma_buf_detach(mapping_info->buf, mapping_info->attach);

	dma_buf_put(mapping_info->buf);

	mapping_info->buf = NULL;

	list_del_init(&mapping_info->list);

int cam_smmu_map_user_iova(int handle, int ion_fd, bool dis_delayed_unmap,

	enum cam_smmu_map_dir dir, dma_addr_t *paddr_ptr,

	size_t *len_ptr, enum cam_smmu_region_id region_id,

	bool is_internal)

	bool is_internal, struct dma_buf *dmabuf)

{

	int idx, rc = 0;

	struct timespec64 *ts = NULL;

	rc = cam_smmu_map_buffer_and_add_to_list(idx, ion_fd,

		dis_delayed_unmap, dma_dir, paddr_ptr, len_ptr,

		region_id, is_internal);

		region_id, is_internal, dmabuf);

	if (rc < 0) {

		CAM_ERR(CAM_SMMU,

			"mapping or add list fail cb:%s idx=%d, fd=%d, region=%d, rc=%d",

 */

int cam_smmu_map_user_iova(int handle, int ion_fd, bool dis_delayed_unmap,

	enum cam_smmu_map_dir dir, dma_addr_t *dma_addr, size_t *len_ptr,

	enum cam_smmu_region_id region_id, bool is_internal);

	enum cam_smmu_region_id region_id, bool is_internal, struct dma_buf *dmabuf);

/**

 * @brief        : Maps kernel space IOVA for calling driver

 */

int cam_smmu_map_stage2_iova(int handle,

	int ion_fd, enum cam_smmu_map_dir dir, dma_addr_t *dma_addr,

	size_t *len_ptr);

	size_t *len_ptr, struct dma_buf *dmabuf);

/**

 * @brief Unmaps secure memopry for SMMU handle