misc: fastrpc: fix DMA address corruption due to find_vma misuse

fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.

Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.

Cc: stable@vger.kernel.org
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 48f8262af53918a6452b6b48bdb99c4d83d53914..cca7489605c56e43c14225b8ca73185d8e60f3d2 100644 (file)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1090,7 +1090,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
                        pages[i].addr = ctx->maps[i]->dma_addr;
 
                        mmap_read_lock(current->mm);
-                       vma = find_vma(current->mm, ctx->args[i].ptr);
+                       vma = vma_lookup(current->mm, ctx->args[i].ptr);
                        if (vma)
                                pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
                                                 vma->vm_start;