[PATCH] misc: fastrpc: exclude mapped buffers from inline overlaps

Next message: Namhyung Kim: "Re: [PATCH] perf trace: Refactor augmented_raw_syscalls using bpf_loop"
Previous message: Yousef Alhouseen: "[PATCH] misc: fastrpc: reject overflowing invoke payload sizes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Wed Jun 24 2026 - 15:24:03 EST

fastrpc_get_buff_overlaps() computes overlap offsets for every invoke
buffer, but only buffers without an fd are serialized into the inline DMA
payload. A mapped buffer can therefore advance max_end without reserving
inline payload space.

If a following inline buffer overlaps that mapped range, the serializer
uses the mapped range to derive a negative offset into the inline buffer
and then copies user data there. Ignore mapped buffers when building the
inline overlap state so inline payload pointers always refer to memory
that was actually reserved in the invoke buffer.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/fastrpc.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index ed0041076..1b70acc10 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -630,6 +630,15 @@ static int fastrpc_get_buff_overlaps(struct fastrpc_invoke_ctx *ctx)
sort(ctx->olaps, ctx->nbufs, sizeof(*ctx->olaps), olaps_cmp, NULL);

for (i = 0; i < ctx->nbufs; ++i) {
+ int raix = ctx->olaps[i].raix;
+
+ if (ctx->args[raix].fd != 0 && ctx->args[raix].fd != -1) {
+ ctx->olaps[i].mstart = 0;
+ ctx->olaps[i].mend = 0;
+ ctx->olaps[i].offset = 0;
+ continue;
+ }
+
/* Falling inside previous range */
if (ctx->olaps[i].start < max_end) {
ctx->olaps[i].mstart = max_end;
--
2.54.0