From nobody Thu Apr  2 22:29:14 2026
Received: from mail-qk1-f194.google.com (mail-qk1-f194.google.com
 [209.85.222.194])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4631D263F34
	for <linux-kernel@vger.kernel.org>; Fri, 13 Feb 2026 17:35:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.194
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771004137; cv=none;
 b=YCt7x7qwYe7wnboMtoT/JWyUd/XXmVhici3x3n8sv2MzApPHU6Gyq3te6c9RjM/PZcTaq2DmeLacYPB9CY5Wv6HRDgioMFsDEhUZyU2kOBMTLuiWmjJsNIiEl2OuPMuXOv4vEUFs02WNBHM5koZhw0/L8T4bQ95YxeRmB21wHhw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771004137; c=relaxed/simple;
	bh=j6tyUDe88B/Z7q0c5U1ilxnIZpIHJSAx/YzDASXr+/Y=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=AHmVLm5RjRbQMjrk8PvFf9P/ze5rT2Jq88nAE9XwnY8AojMvkqe5CxcI22tNrbR2DICU6CEOm+0YuFdAiSNtttZHX60PMAhj2D4rsKhoeHYk+IdWzm91H+q3Sh0qDGQAE872OyJCZ3NjmCc8xU1p/y+y94CavcZ1dcMef1IXn7g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu;
 spf=pass smtp.mailfrom=u.northwestern.edu;
 dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b=n23rng2u;
 arc=none smtp.client-ip=209.85.222.194
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b="n23rng2u"
Received: by mail-qk1-f194.google.com with SMTP id
 af79cd13be357-8c7146b0854so132629985a.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 13 Feb 2026 09:35:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=u-northwestern-edu.20230601.gappssmtp.com; s=20230601; t=1771004135;
 x=1771608935; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=lHcb5oQx+i1SpdjYrXcWh7mW2O04busIUXRXjr9SATA=;
        b=n23rng2uUvweR4eoYVOAPPzf9iS6zPVGbQGVMmJchiptGFbW8cK7kMoBoqR9Npzf2C
         Qh2QQVWn5gWlipRrlZzYblx8GdYU65WieQalAiN8X9iOPS+re54prXdtxdoiJIwUNWcY
         nd9m3QzwDQI47nmywvguMgGQqSOXgYddCnCsTK6qz6CNr00SdLGZ2eeUMmx4AZtSSJ4K
         HWZl4JvVdu4eBjSxVMva9H+ceJcSgqtqDmcZvWbLt9Ya9QMaq7hlNEJMkbgURjn4Y65z
         kQxBxgNUOmzh2Bf+fh3JTGi5nIbKBZ34obWy6vnnGZOut7u85tcDqJpVSGiE/+FFQdaH
         w8qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771004135; x=1771608935;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lHcb5oQx+i1SpdjYrXcWh7mW2O04busIUXRXjr9SATA=;
        b=N/MRcUeAcqyxYk9xCJVySdIdBYQZ/V/piJgoe8Rw7g8v/QTnogI6vXW96S++QXd93/
         XrIpzgMF5us/r8GdNz8vRIEZ6796G1mh3u76/r7KUniFfAagYIAW9iBXycQQqG/sUjUM
         BEkImGiRuYtLnAzZC4uW8j3+dr0/gMg8t7Cmpt15ld5CQfVTlTZPBPye9vkNvPiLVeQR
         kgjRKDNy8eIzSe8P5hnG+p490IapW+fkMbaE2VB45Q8bOyTA9s753ALGL8n8SERQjnV0
         Qp+X0a46QAdxQjSnGXTq7UCq45jnMpnFUd20ItVEZs/P2A181z/X0Vd/wlR4MAA4QFUe
         XMqA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXOaoyX2adEe0rL/bypvcjZdz93VGFExfsQQ2BS4pRiPqPpea3MtWoUPJjQB1aK6LrEHLeUVGK1zb53kds=@vger.kernel.org
X-Gm-Message-State: AOJu0YyKqjb/0Gg8SJOXmfSrV5V9AZBcp7RUd466rYkiE9fEohWHiLZO
	pZfED4RywBXwm++YNhcxB+AcwoCzogm8izucQx4MvZaysNfl0K6LuRfVBeryPrlO1vo=
X-Gm-Gg: AZuq6aJjMdibVSS3RsDPs9jw8VD8lXWSyrYe9lUQEOJOQ+9a0Am5gAF7OxOYBTcGDzN
	0Q6zHjlQr7XlTiCPkq/RPCaawYAiz8SuSHRk7HcBnVt6EDHi88wynebdkAeE01I81y9XPQ4HAVU
	oEk7g/ghLKqWpfnCmIcbhtn3kuCG1LIcX3XAKW/E101VA9drH8Sob7GQjx+2g3Kc9G4ke9azMLG
	O3fQsVa78MUfSW+weQqK8gETrBvvTnIepwlBTmz+E/jqtOsv1pvhwEWdxKBoXV1blDTZUIXW/JI
	CAp4LwcintebdBWgwGIfpBm5KCzCasZFU5Hc1B3HWO1SAEtJ4S9IrWLnvqV9Yztwrju/GnrHd2r
	ycP9/J3peO6hHP3ImaGhfhtX6eoGEu1y7KNIwdAxAeWrkitOckD6VoK0Hq1ffpXkTw1QpMYFvmD
	gIKtdhQrH/19AUYT2GG3r19mjsBd5mvuAtVYTwZgFSGK+4m/wXuJGuhJ06H5/ZM86L7ahHFdiiR
	mBej8EglUHX8ZNgksHur2A+2lTiS5AzUvd7Gfnthhc8novg8AqUmA==
X-Received: by 2002:a05:620a:2945:b0:8ca:3f06:c569 with SMTP id
 af79cd13be357-8cb408d698bmr458283685a.55.1771004135175;
        Fri, 13 Feb 2026 09:35:35 -0800 (PST)
Received: from security.cs.northwestern.edu (security.cs.northwestern.edu.
 [165.124.184.136])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8cb38f2f47fsm377700285a.35.2026.02.13.09.35.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 Feb 2026 09:35:34 -0800 (PST)
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
To: Koby Elbaz <koby.elbaz@intel.com>,
	Konstantin Sinyuk <konstantin.sinyuk@intel.com>,
	Oded Gabbay <ogabbay@kernel.org>
Cc: Tomer Tayar <tomer.tayar@intel.com>,
	farah kassabri <fkassabri@habana.ai>,
	dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	Ziyi Guo <n7l8m4@u.northwestern.edu>
Subject: [PATCH] accel/habanalabs: reject zero-element timestamp buffer
 allocation
Date: Fri, 13 Feb 2026 17:35:30 +0000
Message-Id: <20260213173530.2963318-1-n7l8m4@u.northwestern.edu>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

A user can issue a DRM_IOCTL_HL_MEMORY ioctl with
op=3DHL_MEM_OP_TS_ALLOC and num_of_elements=3D0. The
allocate_timestamps_buffers() function only validates the upper bound
(> TS_MAX_ELEMENTS_NUM) but not zero, allowing num_of_elements=3D0 to
reach vmalloc_user(0 * sizeof(u64)), which triggers WARN_ON_ONCE(!size)
in __vmalloc_node_range().

On systems with panic_on_warn=3D1, this allows a local user with device
access to crash the kernel.

Add a zero check to the existing validation, matching the pattern
already present in HL_MEM_OP_ALLOC (memory.c:2214).

Fixes: 9158bf69e74f ("habanalabs: Timestamps buffers registration")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
---
 drivers/accel/habanalabs/common/memory.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/accel/habanalabs/common/memory.c b/drivers/accel/haban=
alabs/common/memory.c
index 633db4bff46f..37dbb9a013bf 100644
--- a/drivers/accel/habanalabs/common/memory.c
+++ b/drivers/accel/habanalabs/common/memory.c
@@ -2176,8 +2176,9 @@ static int allocate_timestamps_buffers(struct hl_fpri=
v *hpriv, struct hl_mem_in
 	struct hl_mem_mgr *mmg =3D &hpriv->mem_mgr;
 	struct hl_mmap_mem_buf *buf;
=20
-	if (args->num_of_elements > TS_MAX_ELEMENTS_NUM) {
-		dev_err(mmg->dev, "Num of elements exceeds Max allowed number (0x%x > 0x=
%x)\n",
+	if (args->num_of_elements > TS_MAX_ELEMENTS_NUM ||
+				args->num_of_elements =3D=3D 0) {
+		dev_err(mmg->dev, "Invalid num of elements %u, valid range [1, 0x%x]\n",
 				args->num_of_elements, TS_MAX_ELEMENTS_NUM);
 		return -EINVAL;
 	}
--=20
2.34.1