Claude review: misc: fastrpc: keep copied arguments inside the invoke buffer

[Claude Code Review Bot <claude-review@example.com>]

Patch Review

**Positive aspects:**
- Correctly identifies a real security issue — the offset subtraction at line 1067 can produce a pointer before the buffer start, and the subsequent `copy_from_user()` at line 1085 would write out-of-bounds.
- The two-check approach is appropriate: first check underflow (`offset > args - buf_start`), then check that the full length fits (`len > buf_end - dst`).

**Issues:**

1. **Type mismatch for `rpra[i].buf.pv`**: The original code assigns to `rpra[i].buf.pv` which is a `u64` (see `union fastrpc_remote_arg`), but the patch stores a `uintptr_t` into it:
```c
rpra[i].buf.pv = dst;
```
The original code was `rpra[i].buf.pv = args - ctx->olaps[oix].offset;` which is the same type arithmetic, so this is fine in practice (implicit widening on 64-bit), but it's worth noting this is consistent with the original code's implicit conversion.

2. **Missing Fixes/Cc stable tags**: This is a security fix for an existing vulnerability. The commit message should include a `Fixes:` tag pointing to the commit that introduced the vulnerable code (likely the initial fastrpc upstreaming commit) and a `Cc: stable@vger.kernel.org` tag so the fix gets backported.

3. **The `len` used in the second check may be overly broad**: The check `len > buf_end - dst` validates against the full argument length `ctx->args[i].length`. This is correct — `len` is the amount that will be copied by `copy_from_user()` at line 1085, so the entire range `[dst, dst+len)` must be within the buffer. This check is sound.

4. **Potential integer underflow in `buf_end - dst`**: If somehow `dst > buf_end` (which could happen if the first check passes but `args` itself is beyond `buf_end`), then `buf_end - dst` would wrap since both are `uintptr_t` (unsigned). However, this scenario shouldn't occur because `args` is bounded by `rlen` tracking remaining space — the `rlen < mlen` check at line 1064 prevents `args` from exceeding the buffer. So this is safe in practice.

5. **The blank line removal is cosmetic but fine**: The original code had a blank line after `} else {` which the patch replaces with the `dst` declaration. Minor style point, not an issue.

**Overall**: This is a valid security fix. It should include `Fixes:` and `Cc: stable` tags. The validation logic itself is correct and well-placed. The patch is minimal and focused, which is appropriate for a security fix.

---
Generated by Claude Code Patch Reviewer