Re: [PATCH v1 2/2] misc: fastrpc: Fix copy buffer page size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 18, 2024 at 03:54:29PM +0530, Ekansh Gupta wrote:
> For non-registered buffer, fastrpc driver copies the buffer and
> pass it to the remote subsystem. There is a problem with current
> implementation of page size calculation which is not considering
> the offset in the calculation. This might lead to passing of
> improper and out-of-bounds page size which could result in
> memory issue. Calculate page start and page end using the offset
> adjusted address instead of absolute address.

Which offset?

> 
> Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation")
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Ekansh Gupta <quic_ekangupt@xxxxxxxxxxx>
> ---
>  drivers/misc/fastrpc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index cfa1546c9e3f..00154c888c45 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -1019,8 +1019,8 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
>  					(pkt_size - rlen);
>  			pages[i].addr = pages[i].addr &	PAGE_MASK;
>  
> -			pg_start = (args & PAGE_MASK) >> PAGE_SHIFT;
> -			pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
> +			pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT;
> +			pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
>  			pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE;
>  			args = args + mlen;
>  			rlen -= mlen;
> -- 
> 2.34.1
> 

-- 
With best wishes
Dmitry




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux