On 3/24/26 2:44 AM, Pengpeng Hou wrote: > fastrpc_get_args() derives rpra[i].buf.pv from the overlap offset that > was computed from user-controlled argument pointers and lengths. The > resulting destination pointer is then used for copy_from_user() without > first checking that it still falls inside the allocated invoke buffer. > > Validate the overlap-derived destination range before storing it in > rpra[i].buf.pv and before copying inline arguments into the invoke > buffer. > ---
Your contribution lacks a DCO: https://docs.kernel.org/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin without which we can't accept it. Please run ./scripts/checkpatch.pl on the patch file Konrad
