| Message ID | 20241218102429.2026460-3-quic_ekangupt@quicinc.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Add missing fixes in fastrpc_get_args | expand |
On Wed, Dec 18, 2024 at 03:54:29PM +0530, Ekansh Gupta wrote: > For non-registered buffer, fastrpc driver copies the buffer and > pass it to the remote subsystem. There is a problem with current > implementation of page size calculation which is not considering > the offset in the calculation. This might lead to passing of > improper and out-of-bounds page size which could result in > memory issue. Calculate page start and page end using the offset > adjusted address instead of absolute address. Which offset? > > Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation") > Cc: stable <stable@kernel.org> > Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > --- > drivers/misc/fastrpc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index cfa1546c9e3f..00154c888c45 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -1019,8 +1019,8 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx) > (pkt_size - rlen); > pages[i].addr = pages[i].addr & PAGE_MASK; > > - pg_start = (args & PAGE_MASK) >> PAGE_SHIFT; > - pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT; > + pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT; > + pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT; > pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE; > args = args + mlen; > rlen -= mlen; > -- > 2.34.1 >
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index cfa1546c9e3f..00154c888c45 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1019,8 +1019,8 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx) (pkt_size - rlen); pages[i].addr = pages[i].addr & PAGE_MASK; - pg_start = (args & PAGE_MASK) >> PAGE_SHIFT; - pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT; + pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT; + pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT; pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE; args = args + mlen; rlen -= mlen;
For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improper and out-of-bounds page size which could result in memory issue. Calculate page start and page end using the offset adjusted address instead of absolute address. Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation") Cc: stable <stable@kernel.org> Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> --- drivers/misc/fastrpc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)