[PATCH 2/4] misc: fastrpc: fix DMA address corruption due to find_vma misuse

Next message: Rob Herring (Arm): "Re: [PATCH 1/2] dt-bindings: thermal: qcom: add pm8901-temp-alarm"
Previous message: srini: "[PATCH 8/8] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl-&gt;lock"
In reply to: srini: "[PATCH 1/4] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context"
Next in thread: srini: "[PATCH 3/4] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: srini

Date: Sat May 30 2026 - 16:48:18 EST

From: Junrui Luo <moonafterrain@xxxxxxxxxxx>

fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.

Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxxxxxxxx>
Signed-off-by: Srinivas Kandagatla <srini@xxxxxxxxxx>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 48f8262af539..cca7489605c5 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1090,7 +1090,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
pages[i].addr = ctx->maps[i]->dma_addr;

mmap_read_lock(current->mm);
- vma = find_vma(current->mm, ctx->args[i].ptr);
+ vma = vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
--
2.53.0