[PATCH] misc: fastrpc: reject oversized inline invoke payloads
From: Yousef Alhouseen
Date: Wed Jun 24 2026 - 14:56:27 EST
fastrpc_get_args() computes inline payload spans from 64-bit user
buffer ranges, but stores each span in an int before comparing it with
the remaining DMA buffer space.
A large span can truncate before the bounds check and advance the DMA
write cursor by the wrong amount. Keep the span 64-bit and fail the
invoke when the serialized payload would exceed the buffer.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/fastrpc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 42fc128e1..8dd8315d5 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1079,7 +1079,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
ctx->rpra = rpra;
for (oix = 0; oix < ctx->nbufs; ++oix) {
- int mlen;
+ u64 mlen;
i = ctx->olaps[oix].raix;
len = ctx->args[i].length;
@@ -1119,8 +1119,10 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
mlen = ctx->olaps[oix].mend - ctx->olaps[oix].mstart;
- if (rlen < mlen)
+ if (rlen < mlen) {
+ err = -EOVERFLOW;
goto bail;
+ }
rpra[i].buf.pv = args - ctx->olaps[oix].offset;
pages[i].addr = ctx->buf->dma_addr -
--
2.54.0