* [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling
@ 2026-02-17 18:54 Lizhi Hou
2026-02-17 18:55 ` Mario Limonciello
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Lizhi Hou @ 2026-02-17 18:54 UTC (permalink / raw)
To: ogabbay, quic_jhugo, dri-devel, maciej.falkowski
Cc: Lizhi Hou, linux-kernel, max.zhen, sonal.santan,
mario.limonciello
The remaining space in a command slot may be smaller than the size of
the command header. Clearing the command header with memset() before
verifying the available slot space can result in an out-of-bounds write
and memory corruption.
Fix this by moving the memset() call after the size validation.
Fixes: 3d32eb7a5ecf ("accel/amdxdna: Fix cu_idx being cleared by memset() during command setup")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
---
drivers/accel/amdxdna/aie2_message.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c
index 7d7dcfeaf794..8fbbc3280468 100644
--- a/drivers/accel/amdxdna/aie2_message.c
+++ b/drivers/accel/amdxdna/aie2_message.c
@@ -694,11 +694,11 @@ aie2_cmdlist_fill_npu_cf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *siz
u32 cmd_len;
void *cmd;
- memset(npu_slot, 0, sizeof(*npu_slot));
cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
if (*size < sizeof(*npu_slot) + cmd_len)
return -EINVAL;
+ memset(npu_slot, 0, sizeof(*npu_slot));
npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
if (npu_slot->cu_idx == INVALID_CU_IDX)
return -EINVAL;
@@ -719,7 +719,6 @@ aie2_cmdlist_fill_npu_dpu(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
u32 cmd_len;
u32 arg_sz;
- memset(npu_slot, 0, sizeof(*npu_slot));
sn = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
arg_sz = cmd_len - sizeof(*sn);
if (cmd_len < sizeof(*sn) || arg_sz > MAX_NPU_ARGS_SIZE)
@@ -728,6 +727,7 @@ aie2_cmdlist_fill_npu_dpu(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
if (*size < sizeof(*npu_slot) + arg_sz)
return -EINVAL;
+ memset(npu_slot, 0, sizeof(*npu_slot));
npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
if (npu_slot->cu_idx == INVALID_CU_IDX)
return -EINVAL;
@@ -751,7 +751,6 @@ aie2_cmdlist_fill_npu_preempt(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t
u32 cmd_len;
u32 arg_sz;
- memset(npu_slot, 0, sizeof(*npu_slot));
pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
arg_sz = cmd_len - sizeof(*pd);
if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE)
@@ -760,6 +759,7 @@ aie2_cmdlist_fill_npu_preempt(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t
if (*size < sizeof(*npu_slot) + arg_sz)
return -EINVAL;
+ memset(npu_slot, 0, sizeof(*npu_slot));
npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
if (npu_slot->cu_idx == INVALID_CU_IDX)
return -EINVAL;
@@ -787,7 +787,6 @@ aie2_cmdlist_fill_npu_elf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
u32 cmd_len;
u32 arg_sz;
- memset(npu_slot, 0, sizeof(*npu_slot));
pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
arg_sz = cmd_len - sizeof(*pd);
if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE)
@@ -796,6 +795,7 @@ aie2_cmdlist_fill_npu_elf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
if (*size < sizeof(*npu_slot) + arg_sz)
return -EINVAL;
+ memset(npu_slot, 0, sizeof(*npu_slot));
npu_slot->type = EXEC_NPU_TYPE_ELF;
npu_slot->inst_buf_addr = pd->inst_buf;
npu_slot->save_buf_addr = pd->save_buf;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling
2026-02-17 18:54 [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling Lizhi Hou
@ 2026-02-17 18:55 ` Mario Limonciello
2026-02-17 20:45 ` Claude review: " Claude Code Review Bot
2026-02-17 20:45 ` Claude Code Review Bot
2 siblings, 0 replies; 4+ messages in thread
From: Mario Limonciello @ 2026-02-17 18:55 UTC (permalink / raw)
To: Lizhi Hou, ogabbay, quic_jhugo, dri-devel, maciej.falkowski
Cc: linux-kernel, max.zhen, sonal.santan
On 2/17/26 12:54 PM, Lizhi Hou wrote:
> The remaining space in a command slot may be smaller than the size of
> the command header. Clearing the command header with memset() before
> verifying the available slot space can result in an out-of-bounds write
> and memory corruption.
>
> Fix this by moving the memset() call after the size validation.
>
> Fixes: 3d32eb7a5ecf ("accel/amdxdna: Fix cu_idx being cleared by memset() during command setup")
> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
> ---
> drivers/accel/amdxdna/aie2_message.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c
> index 7d7dcfeaf794..8fbbc3280468 100644
> --- a/drivers/accel/amdxdna/aie2_message.c
> +++ b/drivers/accel/amdxdna/aie2_message.c
> @@ -694,11 +694,11 @@ aie2_cmdlist_fill_npu_cf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *siz
> u32 cmd_len;
> void *cmd;
>
> - memset(npu_slot, 0, sizeof(*npu_slot));
> cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
> if (*size < sizeof(*npu_slot) + cmd_len)
> return -EINVAL;
>
> + memset(npu_slot, 0, sizeof(*npu_slot));
> npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
> if (npu_slot->cu_idx == INVALID_CU_IDX)
> return -EINVAL;
> @@ -719,7 +719,6 @@ aie2_cmdlist_fill_npu_dpu(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
> u32 cmd_len;
> u32 arg_sz;
>
> - memset(npu_slot, 0, sizeof(*npu_slot));
> sn = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
> arg_sz = cmd_len - sizeof(*sn);
> if (cmd_len < sizeof(*sn) || arg_sz > MAX_NPU_ARGS_SIZE)
> @@ -728,6 +727,7 @@ aie2_cmdlist_fill_npu_dpu(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
> if (*size < sizeof(*npu_slot) + arg_sz)
> return -EINVAL;
>
> + memset(npu_slot, 0, sizeof(*npu_slot));
> npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
> if (npu_slot->cu_idx == INVALID_CU_IDX)
> return -EINVAL;
> @@ -751,7 +751,6 @@ aie2_cmdlist_fill_npu_preempt(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t
> u32 cmd_len;
> u32 arg_sz;
>
> - memset(npu_slot, 0, sizeof(*npu_slot));
> pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
> arg_sz = cmd_len - sizeof(*pd);
> if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE)
> @@ -760,6 +759,7 @@ aie2_cmdlist_fill_npu_preempt(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t
> if (*size < sizeof(*npu_slot) + arg_sz)
> return -EINVAL;
>
> + memset(npu_slot, 0, sizeof(*npu_slot));
> npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
> if (npu_slot->cu_idx == INVALID_CU_IDX)
> return -EINVAL;
> @@ -787,7 +787,6 @@ aie2_cmdlist_fill_npu_elf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
> u32 cmd_len;
> u32 arg_sz;
>
> - memset(npu_slot, 0, sizeof(*npu_slot));
> pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
> arg_sz = cmd_len - sizeof(*pd);
> if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE)
> @@ -796,6 +795,7 @@ aie2_cmdlist_fill_npu_elf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si
> if (*size < sizeof(*npu_slot) + arg_sz)
> return -EINVAL;
>
> + memset(npu_slot, 0, sizeof(*npu_slot));
> npu_slot->type = EXEC_NPU_TYPE_ELF;
> npu_slot->inst_buf_addr = pd->inst_buf;
> npu_slot->save_buf_addr = pd->save_buf;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Claude review: accel/amdxdna: Fix out-of-bounds memset in command slot handling
2026-02-17 18:54 [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling Lizhi Hou
2026-02-17 18:55 ` Mario Limonciello
@ 2026-02-17 20:45 ` Claude Code Review Bot
2026-02-17 20:45 ` Claude Code Review Bot
2 siblings, 0 replies; 4+ messages in thread
From: Claude Code Review Bot @ 2026-02-17 20:45 UTC (permalink / raw)
To: dri-devel-reviews
Overall Series Review
Subject: accel/amdxdna: Fix out-of-bounds memset in command slot handling
Author: Lizhi Hou <lizhi.hou@amd.com>
Patches: 2
Reviewed: 2026-02-18T06:45:36.268063
---
This is a single-patch fix for the `accel/amdxdna` driver that addresses an out-of-bounds memset in four command slot filling functions. The bug was introduced by commit 3d32eb7a5ecf which moved the `memset()` call to occur before validation of available slot space. The fix is straightforward: move each `memset()` call to after the size checks that verify the slot buffer is large enough.
The bug is real and reachable. In the chain execution path (`aie2_cmdlist_chain_exec`), the remaining buffer size (`cmdbuf_abo->mem.size - offset`) shrinks with each iteration as slots are packed sequentially. If the remaining space is smaller than `sizeof(struct cmd_chain_slot_npu)`, the old code would `memset()` past the buffer boundary before the `*size < sizeof(*npu_slot) + ...` check could return `-EINVAL`. The fix is correct and minimal.
No cross-patch concerns since this is a single patch.
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 4+ messages in thread
* Claude review: accel/amdxdna: Fix out-of-bounds memset in command slot handling
2026-02-17 18:54 [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling Lizhi Hou
2026-02-17 18:55 ` Mario Limonciello
2026-02-17 20:45 ` Claude review: " Claude Code Review Bot
@ 2026-02-17 20:45 ` Claude Code Review Bot
2 siblings, 0 replies; 4+ messages in thread
From: Claude Code Review Bot @ 2026-02-17 20:45 UTC (permalink / raw)
To: dri-devel-reviews
Patch Review
The fix is applied consistently across all four affected functions: `aie2_cmdlist_fill_npu_cf`, `aie2_cmdlist_fill_npu_dpu`, `aie2_cmdlist_fill_npu_preempt`, and `aie2_cmdlist_fill_npu_elf`.
The pattern in each case is the same. Taking `aie2_cmdlist_fill_npu_cf` as representative:
> - memset(npu_slot, 0, sizeof(*npu_slot));
> cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
> if (*size < sizeof(*npu_slot) + cmd_len)
> return -EINVAL;
>
> + memset(npu_slot, 0, sizeof(*npu_slot));
> npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo);
The `slot` pointer comes from `cmdbuf_abo->mem.kva + offset` where the available space is `cmdbuf_abo->mem.size - offset`. When multiple commands are chained, `offset` advances with each slot, and the remaining space can become smaller than `sizeof(struct cmd_chain_slot_npu)` (which is 56+ bytes with the packed struct header fields). Writing `sizeof(*npu_slot)` bytes via memset before checking that there is room would corrupt whatever follows the buffer.
Moving the memset after the size validation is the correct fix. After the check passes, `*size >= sizeof(*npu_slot) + payload_size`, so the memset of `sizeof(*npu_slot)` bytes is guaranteed to be in bounds.
One minor observation on `aie2_cmdlist_fill_npu_elf`: unlike the other three functions, this one does not set `npu_slot->cu_idx` and instead immediately sets `npu_slot->type`. The memset still correctly appears after the size check, so the fix is consistent. This just means `cu_idx` will be left at zero from the memset, which appears intentional since ELF-type slots apparently don't need a CU index.
The commit message is accurate, the Fixes tag correctly identifies the commit that introduced the regression, and the change is minimal and correct. No issues found.
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-17 20:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-17 18:54 [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling Lizhi Hou
2026-02-17 18:55 ` Mario Limonciello
2026-02-17 20:45 ` Claude review: " Claude Code Review Bot
2026-02-17 20:45 ` Claude Code Review Bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox