[PATCH 1/3] misc: fastrpc: reject oversized DMA allocations

Next message: Yousef Alhouseen: "[PATCH 2/3] misc: fastrpc: fix map cleanup paths"
Previous message: Natalie Vock: "Re: [PATCH 1/2] cgroup/dmem: add per-region event counters"
Next in thread: Yousef Alhouseen: "[PATCH 2/3] misc: fastrpc: fix map cleanup paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Thu Jun 25 2026 - 04:57:50 EST

FastRPC keeps invoke and mmap buffer sizes in u64 fields, but coherent
DMA allocation takes a size_t. On 32-bit builds, a size above SIZE_MAX
can be truncated before allocation while the larger value is still used
in the message sent to the DSP.

Reject sizes that cannot fit in size_t before allocating the DMA buffer.
Also make the inline payload alignment step overflow-aware so a
near-U64_MAX accumulator cannot wrap before the later bounds checks.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/fastrpc.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index bfdf8ab6a..8992b5c0c 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -437,6 +437,9 @@ static int __fastrpc_buf_alloc(struct fastrpc_user *fl, struct device *dev,
{
struct fastrpc_buf *buf;

+ if (size > SIZE_MAX)
+ return -EOVERFLOW;
+
buf = kzalloc_obj(*buf);
if (!buf)
return -ENOMEM;
@@ -1035,8 +1038,14 @@ static int fastrpc_get_payload_size(struct fastrpc_invoke_ctx *ctx, int metalen,
u64 len = ctx->olaps[oix].mend -
ctx->olaps[oix].mstart;

- if (ctx->olaps[oix].offset == 0)
- size = ALIGN(size, FASTRPC_ALIGN);
+ if (ctx->olaps[oix].offset == 0) {
+ u64 aligned;
+
+ if (check_add_overflow(size, FASTRPC_ALIGN - 1,
+ &aligned))
+ return -EOVERFLOW;
+ size = aligned & ~(FASTRPC_ALIGN - 1);
+ }

if (check_add_overflow(size, len, &size))
return -EOVERFLOW;
--
2.54.0