Re: [PATCH v1 2/2] misc: fastrpc: Fix copy buffer page size
From: Dmitry Baryshkov
Date: Wed Dec 18 2024 - 06:15:07 EST
On Wed, Dec 18, 2024 at 03:54:29PM +0530, Ekansh Gupta wrote:
> For non-registered buffer, fastrpc driver copies the buffer and
> pass it to the remote subsystem. There is a problem with current
> implementation of page size calculation which is not considering
> the offset in the calculation. This might lead to passing of
> improper and out-of-bounds page size which could result in
> memory issue. Calculate page start and page end using the offset
> adjusted address instead of absolute address.
Which offset?
>
> Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation")
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Ekansh Gupta <quic_ekangupt@xxxxxxxxxxx>
> ---
> drivers/misc/fastrpc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index cfa1546c9e3f..00154c888c45 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -1019,8 +1019,8 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
> (pkt_size - rlen);
> pages[i].addr = pages[i].addr & PAGE_MASK;
>
> - pg_start = (args & PAGE_MASK) >> PAGE_SHIFT;
> - pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
> + pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT;
> + pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
> pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE;
> args = args + mlen;
> rlen -= mlen;
> --
> 2.34.1
>
--
With best wishes
Dmitry