From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1A663C5ACD3 for ; Fri, 20 Feb 2026 17:03:58 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 0240F10E3AE; Fri, 20 Feb 2026 17:03:58 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="AxfyOZOA"; dkim-atps=neutral Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by gabe.freedesktop.org (Postfix) with ESMTPS id C321D10E3AE for ; Fri, 20 Feb 2026 17:03:56 +0000 (UTC) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 0A29760134; Fri, 20 Feb 2026 17:03:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E36FDC116C6; Fri, 20 Feb 2026 17:03:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771607035; bh=OHklII8zTpoG2XHH9fGuY8RkeBt+qRrOQPZSnlCZhcI=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=AxfyOZOAD2RA9evnqqNazDZk9xWS+6M4Cg+y3zd7iEdV16wnCrNLCtnXfOjGUz7gl 5bADXf4OrFdY1GbLyL2kWRU6cETXHnz/6yxRc/4XcdeNh/YvJsMUhc2zl2HZp/jUbw x8JMfLOWI0kOHYjm+JUDJKLEJrnTFBAyOMj7OrEZ9KYZhL11NmB8ZqC8PTnBhRrrNi WCYr2CSZGwHDhfEp6c7KdlwNm7Je5Gq6DeoCRfEFHmhA0letLbfYiJXAv4sHKzMoJ5 gICzcrKV+P9LCcFx4/yiAlnOkUMMc/oh4xu8xgJzLOWmygtYj/k/Bpp0DuGfEIyJbE 9G6NUMCSQC3iQ== Message-ID: <5171999a-12f0-4f8f-ab47-042bf1230ae9@kernel.org> Date: Fri, 20 Feb 2026 11:03:54 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH V1] accel/amdxdna: Validate command buffer payload count To: Lizhi Hou , ogabbay@kernel.org, quic_jhugo@quicinc.com, dri-devel@lists.freedesktop.org, maciej.falkowski@linux.intel.com Cc: linux-kernel@vger.kernel.org, max.zhen@amd.com, sonal.santan@amd.com References: <20260219211946.1920485-1-lizhi.hou@amd.com> Content-Language: en-US From: "Mario Limonciello (AMD) (kernel.org)" In-Reply-To: <20260219211946.1920485-1-lizhi.hou@amd.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On 2/19/2026 3:19 PM, Lizhi Hou wrote: > The count field in the command header is used to determine the valid > payload size. Verify that the valid payload does not exceed the remaining > buffer space. > > Fixes: aac243092b70 ("accel/amdxdna: Add command execution") > Signed-off-by: Lizhi Hou Reviewed-by: Mario Limonciello (AMD) > --- > drivers/accel/amdxdna/amdxdna_ctx.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c > index d17aef89a0ad..cf4d3af67bf7 100644 > --- a/drivers/accel/amdxdna/amdxdna_ctx.c > +++ b/drivers/accel/amdxdna/amdxdna_ctx.c > @@ -104,7 +104,10 @@ void *amdxdna_cmd_get_payload(struct amdxdna_gem_obj *abo, u32 *size) > > if (size) { > count = FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header); > - if (unlikely(count <= num_masks)) { > + if (unlikely(count <= num_masks || > + count * sizeof(u32) + > + offsetof(struct amdxdna_cmd, data[0]) > > + abo->mem.size)) { > *size = 0; > return NULL; > }