tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

accel/amdxdna: Fix out-of-bounds memset in command slot handling

The remaining space in a command slot may be smaller than the size of
the command header. Clearing the command header with memset() before
verifying the available slot space can result in an out-of-bounds write
and memory corruption.

Fix this by moving the memset() call after the size validation.

Fixes: 3d32eb7a5ecf ("accel/amdxdna: Fix cu_idx being cleared by memset() during command setup")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260217185415.1781908-1-lizhi.hou@amd.com

Lizhi Hou 1110a949 07efce5a

+4 -4
+4 -4
drivers/accel/amdxdna/aie2_message.c
··· 699 699 u32 cmd_len; 700 700 void *cmd; 701 701 702 - memset(npu_slot, 0, sizeof(*npu_slot)); 703 702 cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); 704 703 if (*size < sizeof(*npu_slot) + cmd_len) 705 704 return -EINVAL; 706 705 706 + memset(npu_slot, 0, sizeof(*npu_slot)); 707 707 npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); 708 708 if (npu_slot->cu_idx == INVALID_CU_IDX) 709 709 return -EINVAL; ··· 724 724 u32 cmd_len; 725 725 u32 arg_sz; 726 726 727 - memset(npu_slot, 0, sizeof(*npu_slot)); 728 727 sn = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); 729 728 arg_sz = cmd_len - sizeof(*sn); 730 729 if (cmd_len < sizeof(*sn) || arg_sz > MAX_NPU_ARGS_SIZE) ··· 732 733 if (*size < sizeof(*npu_slot) + arg_sz) 733 734 return -EINVAL; 734 735 736 + memset(npu_slot, 0, sizeof(*npu_slot)); 735 737 npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); 736 738 if (npu_slot->cu_idx == INVALID_CU_IDX) 737 739 return -EINVAL; ··· 756 756 u32 cmd_len; 757 757 u32 arg_sz; 758 758 759 - memset(npu_slot, 0, sizeof(*npu_slot)); 760 759 pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); 761 760 arg_sz = cmd_len - sizeof(*pd); 762 761 if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE) ··· 764 765 if (*size < sizeof(*npu_slot) + arg_sz) 765 766 return -EINVAL; 766 767 768 + memset(npu_slot, 0, sizeof(*npu_slot)); 767 769 npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); 768 770 if (npu_slot->cu_idx == INVALID_CU_IDX) 769 771 return -EINVAL; ··· 792 792 u32 cmd_len; 793 793 u32 arg_sz; 794 794 795 - memset(npu_slot, 0, sizeof(*npu_slot)); 796 795 pd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); 797 796 arg_sz = cmd_len - sizeof(*pd); 798 797 if (cmd_len < sizeof(*pd) || arg_sz > MAX_NPU_ARGS_SIZE) ··· 800 801 if (*size < sizeof(*npu_slot) + arg_sz) 801 802 return -EINVAL; 802 803 804 + memset(npu_slot, 0, sizeof(*npu_slot)); 803 805 npu_slot->type = EXEC_NPU_TYPE_ELF; 804 806 npu_slot->inst_buf_addr = pd->inst_buf; 805 807 npu_slot->save_buf_addr = pd->save_buf;