From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E7F63815D5 for ; Thu, 25 Jun 2026 08:43:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782377028; cv=none; b=EoL+nWOC8BwMU9H9BFzjxhS6cpq44LKeACztBs9ErN/ajXeosrJMwOXbihHX18l1o9Mt82FdcOdHTivGZ3uRl8dTNL014LmDczjEO08L1xHM4KOGFZKQDkskmaoofCKXTdfzhh2czOPJFTxDoFnlDEdX7CEn7zYy6mwW8kEzO7A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782377028; c=relaxed/simple; bh=hJGwH/biF1wnv5Tq7vu+gu60HAofnz8uno8+ZE87Cbs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=tLgWPR2DALa0HTx6MUIAsRDPWicKlwktg/IYDw3zCCHzQPfKv1tbSdxk0mMahVMtj/k8tH9SjQAT55YSJ1IT8ea1xZ2W6bSCjbcjhb27HYmwODZYnptjSzTGG3KOzp0BUXbstHQ8btIw49SS8BK1OMUur2dO6bJMxZArA+Plwmk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=BJLnyPs1; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="BJLnyPs1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 82A221F000E9; Thu, 25 Jun 2026 08:43:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1782377027; bh=lWDr78pafejqbKTzJlpnBj1haiwgX8FIUQQSQCx9S0g=; h=From:To:Cc:Subject:Date:Reply-To; b=BJLnyPs123XYtdGUO5E/9jhLaKH8hQe8Rm3d7un4/jO30V0VP0j/W2sHY1DucIUHr yMN5N+OYh1ZYATWqidc6bfiaTF6ugX7r5zXT99la2cgQQYQQDMxJdgJY/7hJlKfotP VKvuCJDDllBQu5yW1Q5NUY3fv+sRMvcNWRit8w8c= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-53159: misc: fastrpc: fix DMA address corruption due to find_vma misuse Date: Thu, 25 Jun 2026 09:40:07 +0100 Message-ID: <2026062549-CVE-2026-53159-d6fc@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3365; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=pQ45NqpEr5VOIDRTkse25PmY6d/PuL4bZ2GMZFe27oQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDFk2L0O1zx4SuvulO7RlTVfvlusLj/cernnz8omvcOpK3 xW9pXd/dsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEdq5kmO9stf+orP6uQPXv C5pXrzFhmROdN5lhwcFrhgfj7rx2tq1esW2KdeHz3Q53LgEA X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix DMA address corruption due to find_vma misuse fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided pointer and compute a DMA address offset. When the address falls in a gap before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, corrupting the DMA address sent to the DSP. Replace find_vma() with vma_lookup(), which returns NULL when the address is not contained within any VMA. The Linux kernel CVE team has assigned CVE-2026-53159 to this issue. Affected and fixed versions =========================== Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 5.15.210 with commit 2d0f47e27c1fa718b29c69aa7c96a2c5161bc2c2 Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 6.1.176 with commit 708c17b52c60fe7a57e73b495bdee50f58feb48c Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 6.6.143 with commit d3e26df2e8eb361e6bef096b2fd565476a1f14c4 Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 6.12.94 with commit e69e306a4cccb40a73511350cb280825a556ce3c Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 6.18.36 with commit 53e06f8a3c2b085c31bf1284e2ebcb8036e99625 Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 7.0.13 with commit 7ba7b30ddb04646d4d638f4d8c4718a304bbbddd Issue introduced in 5.2 with commit 80f3afd72bd4149c57daf852905476b43bb47647 and fixed in 7.1 with commit 464c6ad2aa16e1e1df9d559289199356493d1e00 Issue introduced in 5.1.6 with commit 954edc466128479872731d06f026d0e71840d153 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-53159 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/misc/fastrpc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2d0f47e27c1fa718b29c69aa7c96a2c5161bc2c2 https://git.kernel.org/stable/c/708c17b52c60fe7a57e73b495bdee50f58feb48c https://git.kernel.org/stable/c/d3e26df2e8eb361e6bef096b2fd565476a1f14c4 https://git.kernel.org/stable/c/e69e306a4cccb40a73511350cb280825a556ce3c https://git.kernel.org/stable/c/53e06f8a3c2b085c31bf1284e2ebcb8036e99625 https://git.kernel.org/stable/c/7ba7b30ddb04646d4d638f4d8c4718a304bbbddd https://git.kernel.org/stable/c/464c6ad2aa16e1e1df9d559289199356493d1e00