From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 80929E9A037 for ; Tue, 17 Feb 2026 18:55:58 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id D6BF110E281; Tue, 17 Feb 2026 18:55:57 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="W22NpWKd"; dkim-atps=neutral Received: from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31]) by gabe.freedesktop.org (Postfix) with ESMTPS id 4E00D10E281 for ; Tue, 17 Feb 2026 18:55:56 +0000 (UTC) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 1DAB4444AD; Tue, 17 Feb 2026 18:55:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5FEB4C2BC86; Tue, 17 Feb 2026 18:55:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771354556; bh=QhK2g8tqzLJSJiRA4xE5aFPe+bVdVRnzCI3pwb04wDY=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=W22NpWKd1TbMuPEYySZ8yzibkDazuvYh1vQkwpL2AH0VI+Eec2moxorzDq7XjC7al YeinIWzvSYKUtoI5piOvnHse0n8c7sCsY6UbUakM4QbCicL1ts1QQgjrW7Y+7xE41I YX24SD1xEeg80K2g2FMDER4JeSlN+4fMg6gv4Se3SBZfnnBRIXdlGoZyXK5YU1k4sY 76rVvh7QFYVXPpONHXqRReSCsO1MF6vgx4cOq4Rfjj6ZVhrlPd9cGdckDB+cGWrzMT uE+fLv+xklzcEm5S9IwbNbbwhDFAsgJWZk52EzDYo5grmN5PPPrni1f440pJGgBe4m jXnOd2jZMg0zQ== Message-ID: Date: Tue, 17 Feb 2026 12:55:54 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH V1] accel/amdxdna: Fix out-of-bounds memset in command slot handling To: Lizhi Hou , ogabbay@kernel.org, quic_jhugo@quicinc.com, dri-devel@lists.freedesktop.org, maciej.falkowski@linux.intel.com Cc: linux-kernel@vger.kernel.org, max.zhen@amd.com, sonal.santan@amd.com References: <20260217185415.1781908-1-lizhi.hou@amd.com> Content-Language: en-US From: Mario Limonciello In-Reply-To: <20260217185415.1781908-1-lizhi.hou@amd.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On 2/17/26 12:54 PM, Lizhi Hou wrote: > The remaining space in a command slot may be smaller than the size of > the command header. Clearing the command header with memset() before > verifying the available slot space can result in an out-of-bounds write > and memory corruption. > > Fix this by moving the memset() call after the size validation. > > Fixes: 3d32eb7a5ecf ("accel/amdxdna: Fix cu_idx being cleared by memset() during command setup") > Signed-off-by: Lizhi Hou Reviewed-by: Mario Limonciello (AMD) > --- > drivers/accel/amdxdna/aie2_message.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c > index 7d7dcfeaf794..8fbbc3280468 100644 > --- a/drivers/accel/amdxdna/aie2_message.c > +++ b/drivers/accel/amdxdna/aie2_message.c > @@ -694,11 +694,11 @@ aie2_cmdlist_fill_npu_cf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *siz > u32 cmd_len; > void *cmd; > > - memset(npu_slot, 0, sizeof(*npu_slot)); > cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); > if (*size < sizeof(*npu_slot) + cmd_len) > return -EINVAL; > > + memset(npu_slot, 0, sizeof(*npu_slot)); > npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); > if (npu_slot->cu_idx == INVALID_CU_IDX) > return -EINVAL; > @@ -719,7 +719,6 @@ aie2_cmdlist_fill_npu_dpu(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si > u32 cmd_len; > u32 arg_sz; > > - memset(npu_slot, 0, sizeof(*npu_slot)); > sn = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); > arg_sz = cmd_len - sizeof(*sn); > if (cmd_len < sizeof(*sn) || arg_sz > MAX_NPU_ARGS_SIZE) > @@ -728,6 +727,7 @@ aie2_cmdlist_fill_npu_dpu(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si > if (*size < sizeof(*npu_slot) + arg_sz) > return -EINVAL; > > + memset(npu_slot, 0, sizeof(*npu_slot)); > npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); > if (npu_slot->cu_idx == INVALID_CU_IDX) > return -EINVAL; > @@ -751,7 +751,6 @@ aie2_cmdlist_fill_npu_preempt(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t > u32 cmd_len; > u32 arg_sz; > > - memset(npu_slot, 0, sizeof(*npu_slot)); > pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); > arg_sz = cmd_len - sizeof(*pd); > if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE) > @@ -760,6 +759,7 @@ aie2_cmdlist_fill_npu_preempt(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t > if (*size < sizeof(*npu_slot) + arg_sz) > return -EINVAL; > > + memset(npu_slot, 0, sizeof(*npu_slot)); > npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); > if (npu_slot->cu_idx == INVALID_CU_IDX) > return -EINVAL; > @@ -787,7 +787,6 @@ aie2_cmdlist_fill_npu_elf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si > u32 cmd_len; > u32 arg_sz; > > - memset(npu_slot, 0, sizeof(*npu_slot)); > pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); > arg_sz = cmd_len - sizeof(*pd); > if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE) > @@ -796,6 +795,7 @@ aie2_cmdlist_fill_npu_elf(struct amdxdna_gem_obj *cmd_bo, void *slot, size_t *si > if (*size < sizeof(*npu_slot) + arg_sz) > return -EINVAL; > > + memset(npu_slot, 0, sizeof(*npu_slot)); > npu_slot->type = EXEC_NPU_TYPE_ELF; > npu_slot->inst_buf_addr = pd->inst_buf; > npu_slot->save_buf_addr = pd->save_buf;