On Fri, May 15, 2026 at 05:16:03PM +0800, Junrui Luo wrote: > fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided > pointer and compute a DMA address offset. When the address falls in a gap > before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, > corrupting the DMA address sent to the DSP. > > Replace find_vma() with vma_lookup(), which returns NULL when the address > is not contained within any VMA. > > Cc: [email protected] > Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending > to DSP") > Reported-by: Yuhao Jiang <[email protected]> > Signed-off-by: Junrui Luo <[email protected]> > --- > drivers/misc/fastrpc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >
Reviewed-by: Dmitry Baryshkov <[email protected]> -- With best wishes Dmitry
