[PATCH V1] accel/amdxdna: Validate command buffer payload count

[PATCH V1] accel/amdxdna: Validate command buffer payload count

[Lizhi Hou]

The count field in the command header is used to determine the valid
payload size. Verify that the valid payload does not exceed the remaining
buffer space.

Fixes: aac243092b70 ("accel/amdxdna: Add command execution")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
---
 drivers/accel/amdxdna/amdxdna_ctx.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c
index d17aef89a0ad..cf4d3af67bf7 100644
--- a/drivers/accel/amdxdna/amdxdna_ctx.c
+++ b/drivers/accel/amdxdna/amdxdna_ctx.c
@@ -104,7 +104,10 @@ void *amdxdna_cmd_get_payload(struct amdxdna_gem_obj *abo, u32 *size)
 
 	if (size) {
 		count = FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header);
-		if (unlikely(count <= num_masks)) {
+		if (unlikely(count <= num_masks ||
+			     count * sizeof(u32) +
+			     offsetof(struct amdxdna_cmd, data[0]) >
+			     abo->mem.size)) {
 			*size = 0;
 			return NULL;
 		}
-- 
2.34.1

Re: [PATCH V1] accel/amdxdna: Validate command buffer payload count

[Mario Limonciello (AMD) (kernel.org)]

On 2/19/2026 3:19 PM, Lizhi Hou wrote:
> The count field in the command header is used to determine the valid
> payload size. Verify that the valid payload does not exceed the remaining
> buffer space.
> 
> Fixes: aac243092b70 ("accel/amdxdna: Add command execution")
> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
> ---
>   drivers/accel/amdxdna/amdxdna_ctx.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c
> index d17aef89a0ad..cf4d3af67bf7 100644
> --- a/drivers/accel/amdxdna/amdxdna_ctx.c
> +++ b/drivers/accel/amdxdna/amdxdna_ctx.c
> @@ -104,7 +104,10 @@ void *amdxdna_cmd_get_payload(struct amdxdna_gem_obj *abo, u32 *size)
>   
>   	if (size) {
>   		count = FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header);
> -		if (unlikely(count <= num_masks)) {
> +		if (unlikely(count <= num_masks ||
> +			     count * sizeof(u32) +
> +			     offsetof(struct amdxdna_cmd, data[0]) >
> +			     abo->mem.size)) {
>   			*size = 0;
>   			return NULL;
>   		}

Claude review: accel/amdxdna: Validate command buffer payload count

[Claude Code Review Bot]

Overall Series Review

Subject: accel/amdxdna: Validate command buffer payload count
Author: Lizhi Hou <lizhi.hou@amd.com>
Patches: 2
Reviewed: 2026-02-23T06:27:49.749404

---

This is a single patch fixing a buffer overread vulnerability in the amdxdna accelerator driver. The `amdxdna_cmd_get_payload()` function reads a `count` field from a command header embedded in a GEM buffer object and uses it to calculate the payload size. Before this fix, the function only checked that `count > num_masks` but did not verify that the total claimed size fits within the underlying buffer. A malicious or corrupted command buffer could set a `count` value that passes the existing check but extends past the end of the allocated buffer, leading to an out-of-bounds read when callers copy or process the payload.

The fix adds a second condition to the existing validation, checking that `count * sizeof(u32) + offsetof(struct amdxdna_cmd, data[0])` does not exceed `abo->mem.size`. The arithmetic is safe from overflow since `count` is extracted from an 11-bit field (GENMASK(22, 12), max 2047), and the entire expression evaluates in `size_t` due to `sizeof(u32)` promoting the operands. The fix is minimal and targeted.

---
Generated by Claude Code Patch Reviewer

Claude review: accel/amdxdna: Validate command buffer payload count

[Claude Code Review Bot]

Patch Review

The fix is correct and the commit message clearly explains what is being validated and why.

> +		if (unlikely(count <= num_masks ||
> +			     count * sizeof(u32) +
> +			     offsetof(struct amdxdna_cmd, data[0]) >
> +			     abo->mem.size)) {

The arithmetic checks out. `count` comes from `FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header)` where `AMDXDNA_CMD_COUNT` is `GENMASK(22, 12)`, giving a maximum value of 2047. Since `sizeof(u32)` is `size_t`, the multiplication promotes `count` to `size_t` and the maximum result is 8188 + 4 = 8192 — no overflow risk. The comparison against `abo->mem.size` (also `size_t`) is straightforward.

Minor note: `offsetof(struct amdxdna_cmd, data[0])` is equivalent to `offsetof(struct amdxdna_cmd, data)`. The `[0]` subscript in `offsetof` is a GNU extension that the kernel uses elsewhere, so this is fine, just slightly unusual.

One observation about pre-existing caller patterns (not introduced by this patch): some callers like `aie2_init_exec_cu_req()` do not check the return value for NULL before using the pointer:

```c
cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len);
if (cmd_len > sizeof(cu_req->payload))
    return -EINVAL;
...
memcpy(cu_req->payload, cmd, cmd_len);
```

When the new validation triggers, `cmd` is NULL and `cmd_len` is 0, so the `memcpy` becomes `memcpy(dst, NULL, 0)`. In practice this is harmless in the kernel, but it is technically undefined behavior per the C standard. Other callers like the `ERT_CMD_CHAIN` path at line 972 do properly check `!payload`. This is a pre-existing pattern and not a problem introduced by this patch, but a follow-up to add explicit NULL checks in callers would be worthwhile.

No other issues found. The patch is a clean, correct fix for a real validation gap.

---
Generated by Claude Code Patch Reviewer