From nobody Fri Apr 3 05:04:02 2026 Received: from CY3PR05CU001.outbound.protection.outlook.com (mail-westcentralusazon11013029.outbound.protection.outlook.com [40.93.201.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D65836E491 for ; Tue, 17 Feb 2026 19:28:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.201.29 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771356505; cv=fail; b=OAGpnE5JXHTRyVnqxFfx18cBwAqGlvITgIBpEuarfKIjO1iT0ooZaJvR4i74WpmIuTICrI1wvuXBzGQwrG2SI2hYbbp+s5Pu1bfH4xBEBSat3wtwXfuAhsOQoSVxqFll9aMf/YyB27n3JrC5Y0qltJ96njwpUzkyuYHua5m6gM4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771356505; c=relaxed/simple; bh=ZB2mT3KTZb92X5Y372CGknOksJ65Fz+7I4OOcBwxoxw=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=ERna05SW0Mikr5espQuhc7enuN8SeDtEDpfsQVZm33tOMamDtq1bVcXoDb1pLC9IsvPISsxmcQzv4VTIaXKH5fFqk4BZAQ2Kix8xiSSN9QVNsR34fCvHxJo2CKlsGU8NL/5gcfrj/Nc/Wg+/RNAR3VSHYWdRO2XdVOwf/CxgJTs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=lX2riNI2; arc=fail smtp.client-ip=40.93.201.29 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="lX2riNI2" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JqFD4IxN/FfxxyVif3ftPKkESyXPy2hgFx/kRhTn0E8zaG6YN9CfSL/LgGccZu6SR/TZ0wbgJ9natUQknSVHW+7CRwJn5lvL/hPx+sZD3lN8uENPjoormiY/ATiwRmmcBHGEeejvCeXOffBt+RSdOgwyrT9mE0QkLlcgpKf+yTGHekZTW6SE7mNau1pjiAK1avo0lj79qxXg+r6/pUsJD/nzpAKzSkfcWpwy4S59fSMcS1/WfgRBvvsH510TH1frEaoLrSujhFGhqeh2mAJ9GDYJL9Tzgxpxk6NTJGTsswrSzaROzROkD9LqRSEiIK45+aTAJFGkktZ90Fo8eZDBLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+fH0VDSYo/EOQjeIUO9JjnY7Ajf+NUxPU+OvZvABL98=; b=DoHOCNebysYluCCTqrVb9QOy49LaKX/lX2vFsDEO1ctE2Zh/CZcuGIu6uniAjlKSN9heAw5ClNm+1sKhoNSabMRL63BdwxY7McCTf73DHB45HMwD0pMJmf0iDZ1XPq2xOUgh7tA1VAYUoLhxape9OINwPHh/jaz/kEgWJYTKEgVcZUDSDOL+G2wk28uFN3w6S8LKRNQYNAHDksR7hb7zwiJfDu9+RIPkAZrUQ55koajTRocuPgvXGwWLhFslp9oUR2IY82irjduQpjd4W7yaFwXBtAYsyEt/LJDtoXIvLP6JO/JjmqpkfucZ1ZlxWqrS4Kdz08TI3qcum1AF2rJ2WQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+fH0VDSYo/EOQjeIUO9JjnY7Ajf+NUxPU+OvZvABL98=; b=lX2riNI2uLqCO16fZY9zAedLpj+nnr5M4e6ELJb31O6cbE0RyKR68LqQOjFXy95RjJRgcX11qUMOl3ASBvenZUb9Qt0V8ldS0vykZP8WTgoM9bDdGm+0t1RvV+0N8zvMp3zE22rJeX1SDGwhI0EYdi1bs3wXaAABoFtwOyXX+Yw= Received: from SJ0PR03CA0334.namprd03.prod.outlook.com (2603:10b6:a03:39c::9) by DM4PR12MB7672.namprd12.prod.outlook.com (2603:10b6:8:103::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9611.16; Tue, 17 Feb 2026 19:28:18 +0000 Received: from SJ1PEPF00001CE3.namprd05.prod.outlook.com (2603:10b6:a03:39c:cafe::b0) by SJ0PR03CA0334.outlook.office365.com (2603:10b6:a03:39c::9) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9632.13 via Frontend Transport; Tue, 17 Feb 2026 19:28:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb08.amd.com; pr=C Received: from satlexmb08.amd.com (165.204.84.17) by SJ1PEPF00001CE3.mail.protection.outlook.com (10.167.242.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.12 via Frontend Transport; Tue, 17 Feb 2026 19:28:18 +0000 Received: from satlexmb08.amd.com (10.181.42.217) by satlexmb08.amd.com (10.181.42.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Tue, 17 Feb 2026 13:28:17 -0600 Received: from xsjlizhih51.xilinx.com (10.180.168.240) by satlexmb08.amd.com (10.181.42.217) with Microsoft SMTP Server id 15.2.2562.17 via Frontend Transport; Tue, 17 Feb 2026 13:28:17 -0600 From: Lizhi Hou To: , , , CC: Lizhi Hou , , , , Subject: [PATCH V1] accel/amdxdna: Prevent ubuf size overflow Date: Tue, 17 Feb 2026 11:28:15 -0800 Message-ID: <20260217192815.1784689-1-lizhi.hou@amd.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF00001CE3:EE_|DM4PR12MB7672:EE_ X-MS-Office365-Filtering-Correlation-Id: 4410bed0-4b40-44ba-0afd-08de6e5ab483 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?+elcOLa5csj1eFfYhGLpx6h3poscI7ISaYTPHl4HcuHw8/EjW/J0FL6OTJ7k?= =?us-ascii?Q?RYouabIPMQisrDmuF88X2S0qYQrU2s/vOwVwocoDCiAuJQR32SvzFnlHYQSf?= =?us-ascii?Q?aRW/KutAvXFgg0plpxLRhUgLrFmoRMAqIp8x6OCAclm5D/EK4ghm+rbQpHHQ?= =?us-ascii?Q?e8D/AJkXLJw48OwD1EuOPDJDqB3Qn2LxFdVam4t2rV9+ArxZaWjz/8I50znp?= =?us-ascii?Q?VLxGEmjVy9FQAYIlnUY6SBhMtTlUFfabz8+z8riL1qWnzAoRlFsU8+kyvRpr?= =?us-ascii?Q?+nfdczdHKqoi/QCPxjEkoDM2JhMfS/RtZa5R6MLD2WIOIWHElGyA6LxdS+An?= =?us-ascii?Q?f5hnshVgO4ZvZ1RpxosJUnNoPwYFTcUbojoPJ14aThcfxMUvoyMAOUk3BVKf?= =?us-ascii?Q?PFBR8MLUW2JjCbW32F179LC/gexS6pIEh9wZu0NKBaB7fkX3yeY4ybxmWRNh?= =?us-ascii?Q?Y5AJy4cpeeoAhyGJ3rKmdsjxIIGi4jQUJcc7KUiNTsJHxlwJkumVdFePOfmC?= =?us-ascii?Q?bbBEbhEAy3zzQC4rERTAEan8LpcWwHwGrFPObxn5R5acDvhEgavFFQ0HbraZ?= =?us-ascii?Q?Tjk5Urw4ZOlp1xSEJEwOc64cQ5NsaV9z9DWFEmLoFkhMK1RLlIEi7dghu9Pr?= =?us-ascii?Q?lBAWw+ezuXoa+Se+cdm2cYIEatbxobDoBrto6TBr1LDEnR+pTHz2ZNxJIix9?= =?us-ascii?Q?Any4oxFGaCumd4cuxqRFvaNqhRfZZWI0etioj36MhWIAyhtiHpee1VPFJNny?= =?us-ascii?Q?jxFFi6xueJOpcy59LXLWd2KmORH9cnGP4mv9vlEkjSuq/shlg/DEJQ6mqrjS?= =?us-ascii?Q?1jXlisrfiW4K63CWVGAVYe0Bv6k2bD1H7nq6ymrhHkGOZ61/P6slmmnt9QJa?= =?us-ascii?Q?nPetc0vVUSHqqJJrIzKEMJQ0rJHp1bll6LdrZp4k5Zp2qiyJ/WNN3JQCvQGi?= =?us-ascii?Q?Hpq7371aqQeheyvXqRBRjj934YM/xLVfDA7Oexw/zpBSfYUi3lh6mxsBIrc0?= =?us-ascii?Q?1TNzJXACXcN1IQxfGjOIfHYsdFbtzlHZT3GSHudL0faCxg21wwtflq2XczYK?= =?us-ascii?Q?QWfWR4XQEeJjqM8M3b87da5+pdVnt3bWbDJZ1u/STltgRnNow2W84MQNdPkP?= =?us-ascii?Q?ikxM4oTkBfX3Vz0jti2+e1WZN4w2Q1vWdCDu7KBxkaRqCMN303ZEbQdCf1Lt?= =?us-ascii?Q?NksBnw+O6SFmUSwS/Y8BnqKKgvQeSMu9Xqn/h4STyiMNwjHnBUkmr1ryv7Nq?= =?us-ascii?Q?Rd40Lp9U0nNRmY6vqMep3yAG3UkEeScPugmRYbGHFaOtZmWtTlDGUAO6byxR?= =?us-ascii?Q?vDMs31O6LMLlLojmk9ijBU4lfxcBFfj64ljXWcYrBqV76swOwAjDaMezmle6?= =?us-ascii?Q?+F3yqggs7b09USGxRb3pePFn4E1JDff/FehlylQUradxPRPcG1VwFqskvOeX?= =?us-ascii?Q?o5kSOorZi0vkV1Euu6C8gtMobjwItyyj5C7b7kTTo2p9w62PbWjYKUO5kPhG?= =?us-ascii?Q?gN6tQ4IU92wyX50GpziPr5tUE0lXcDY0kgDvKmT/90pOCMvzooGFid+ntOA1?= =?us-ascii?Q?9g7NcUE2+JtEtuNE8wDM37BxkkFXwnRtOLm7/R3SjYte7QnDv2rehwHNJBRZ?= =?us-ascii?Q?dPzalduv0JE912KXXq1QMpNdV4q9rCgFEIZpIr0cZrSRVOAC8PEIPxOsvYpu?= =?us-ascii?Q?mrpkZw=3D=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb08.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700013);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ARR0uLg1iORcbbGu5v1jc0/jZfIPmrghsDHKzKlSbNh6ricR87upsbClrNg9W32T/3IYdt82SXN0J8FKadW2tYy2ovExCeH3HAUKMc/EdI1n6RnKIOSPqExwrCGmJ3WNrU1YXCiWaCPWWlKpq56SiXiNlYgCVb7si5iqQi0/3OmyKUfQdHOFseNh4gIKHkaYzASyETMCCpu5Yz2cnn/Yc1Uu2upiPRHWuJNUHTJ0BJGFVKdojA9SoXrjE5FsEl6/z4kCmaLJh88CfDMo2K51OaAXXa/sgQlktMNnfStBFG+P+boL/roBsX7X104M1ooIzhZw0z083c4HVQDkBH1zcrfbZ4SVil8zFm+xNgWmE2cIZD0wQHCYEcjk8i3gV8EP7/QnAHbNv6mIdQc50GX5fIHGemILTbJ69FBLdSPI4vriHMnsXxt6MxlvpMhja7Dv X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2026 19:28:18.6952 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4410bed0-4b40-44ba-0afd-08de6e5ab483 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb08.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00001CE3.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB7672 Content-Type: text/plain; charset="utf-8" The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size calculation before allocation. Fixes: bd72d4acda10 ("accel/amdxdna: Support user space allocated buffer") Signed-off-by: Lizhi Hou Reviewed-by: Mario Limonciello (AMD) --- drivers/accel/amdxdna/amdxdna_ubuf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c b/drivers/accel/amdxdna/a= mdxdna_ubuf.c index 9e3b3b055caa..62a478f6b45f 100644 --- a/drivers/accel/amdxdna/amdxdna_ubuf.c +++ b/drivers/accel/amdxdna/amdxdna_ubuf.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include =20 @@ -176,7 +177,10 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *de= v, goto free_ent; } =20 - exp_info.size +=3D va_ent[i].len; + if (check_add_overflow(exp_info.size, va_ent[i].len, &exp_info.size)) { + ret =3D -EINVAL; + goto free_ent; + } } =20 ubuf->nr_pages =3D exp_info.size >> PAGE_SHIFT; --=20 2.34.1