* [PATCH] misc: fastrpc: fix DMA address corruption due to find_vma misuse
@ 2026-05-15 9:16 Junrui Luo
2026-05-15 23:24 ` Claude review: " Claude Code Review Bot
2026-05-15 23:24 ` Claude Code Review Bot
0 siblings, 2 replies; 3+ messages in thread
From: Junrui Luo @ 2026-05-15 9:16 UTC (permalink / raw)
To: Srinivas Kandagatla, Amol Maheshwari, Arnd Bergmann,
Greg Kroah-Hartman
Cc: linux-arm-msm, dri-devel, linux-kernel, stable, Yuhao Jiang,
Junrui Luo
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.
Cc: stable@vger.kernel.org
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 47356a5d5804..31b709fe6ed1 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1041,7 +1041,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
pages[i].addr = ctx->maps[i]->dma_addr;
mmap_read_lock(current->mm);
- vma = find_vma(current->mm, ctx->args[i].ptr);
+ vma = vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260515-fixes-0071a59299e5
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Claude review: misc: fastrpc: fix DMA address corruption due to find_vma misuse
2026-05-15 9:16 [PATCH] misc: fastrpc: fix DMA address corruption due to find_vma misuse Junrui Luo
@ 2026-05-15 23:24 ` Claude Code Review Bot
2026-05-15 23:24 ` Claude Code Review Bot
1 sibling, 0 replies; 3+ messages in thread
From: Claude Code Review Bot @ 2026-05-15 23:24 UTC (permalink / raw)
To: dri-devel-reviews
Overall Series Review
Subject: misc: fastrpc: fix DMA address corruption due to find_vma misuse
Author: Junrui Luo <moonafterrain@outlook.com>
Patches: 1
Reviewed: 2026-05-16T09:24:08.007858
---
This is a single-patch fix for a real bug in the fastrpc driver. The analysis is correct: `find_vma()` returns the first VMA with `vma->vm_end > addr`, which means if the address falls in a gap *before* that VMA, the subsequent arithmetic `(ptr & PAGE_MASK) - vma->vm_start` will underflow (since `ptr` could be well below `vma->vm_start`), corrupting the DMA address passed to the DSP. Replacing with `vma_lookup()` is the standard and correct fix — it returns NULL when the address is not contained within any VMA, so the offset calculation is only performed when the address genuinely belongs to the found VMA.
The patch is minimal, correct, and appropriate for stable backport.
**Verdict: Looks good.**
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 3+ messages in thread
* Claude review: misc: fastrpc: fix DMA address corruption due to find_vma misuse
2026-05-15 9:16 [PATCH] misc: fastrpc: fix DMA address corruption due to find_vma misuse Junrui Luo
2026-05-15 23:24 ` Claude review: " Claude Code Review Bot
@ 2026-05-15 23:24 ` Claude Code Review Bot
1 sibling, 0 replies; 3+ messages in thread
From: Claude Code Review Bot @ 2026-05-15 23:24 UTC (permalink / raw)
To: dri-devel-reviews
Patch Review
**Correctness: Good.** The core issue is well-identified. At line 1044 (post-patch):
```c
vma = vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
```
With the old `find_vma()`, if `ctx->args[i].ptr` fell in a hole before the returned VMA, `(ctx->args[i].ptr & PAGE_MASK) - vma->vm_start` would produce a large unsigned underflow, corrupting `pages[i].addr`. With `vma_lookup()`, such cases correctly return NULL and the offset is not applied.
**One observation:** When `vma_lookup()` returns NULL (address not in any VMA), the code silently proceeds with `pages[i].addr` set to the raw `ctx->maps[i]->dma_addr` without any offset, and continues to compute `pages[i].size` based on the pointer. This means a bad user-supplied pointer won't cause an immediate error — it will send a potentially wrong DMA address to the DSP. The existing code had this same "silent fallthrough" behavior with `find_vma()` (just the `if (vma)` guard was already there), so this patch doesn't make it worse, but a follow-up that returns an error when `vma_lookup()` returns NULL would be a stronger fix. That said, it's out of scope for this minimal fix and the Fixes/Cc:stable tags are appropriate.
**Commit message: Good.** Clear explanation of the root cause (underflow in the offset calculation), the trigger (address in a gap before the VMA), and the fix (switch to `vma_lookup()`). The Fixes tag correctly references commit `80f3afd72bd4` which introduced the `find_vma()` usage.
**Tags: Correct.** Cc: stable, Fixes, Reported-by, and Signed-off-by are all present and properly formatted.
**No other issues found.** The patch is a clean one-line change with no side effects.
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-15 23:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 9:16 [PATCH] misc: fastrpc: fix DMA address corruption due to find_vma misuse Junrui Luo
2026-05-15 23:24 ` Claude review: " Claude Code Review Bot
2026-05-15 23:24 ` Claude Code Review Bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox