1. Patchew
  2. linux
  3. View series

[PATCH V1] accel/amdxdna: Validate command buffer payload count

Lizhi Hou posted 1 patch 1 month, 1 week ago 
drivers/accel/amdxdna/amdxdna_ctx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH V1] accel/amdxdna: Validate command buffer payload count
Posted by Lizhi Hou 1 month, 1 week ago 
The count field in the command header is used to determine the valid
payload size. Verify that the valid payload does not exceed the remaining
buffer space.

Fixes: aac243092b70 ("accel/amdxdna: Add command execution")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
---
 drivers/accel/amdxdna/amdxdna_ctx.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c
index d17aef89a0ad..cf4d3af67bf7 100644
--- a/drivers/accel/amdxdna/amdxdna_ctx.c
+++ b/drivers/accel/amdxdna/amdxdna_ctx.c
@@ -104,7 +104,10 @@ void *amdxdna_cmd_get_payload(struct amdxdna_gem_obj *abo, u32 *size)
 
 	if (size) {
 		count = FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header);
-		if (unlikely(count <= num_masks)) {
+		if (unlikely(count <= num_masks ||
+			     count * sizeof(u32) +
+			     offsetof(struct amdxdna_cmd, data[0]) >
+			     abo->mem.size)) {
 			*size = 0;
 			return NULL;
 		}
-- 
2.34.1
Re: [PATCH V1] accel/amdxdna: Validate command buffer payload count
Posted by Mario Limonciello (AMD) (kernel.org) 1 month, 1 week ago 

On 2/19/2026 3:19 PM, Lizhi Hou wrote:
> The count field in the command header is used to determine the valid
> payload size. Verify that the valid payload does not exceed the remaining
> buffer space.
> 
> Fixes: aac243092b70 ("accel/amdxdna: Add command execution")
> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
> ---
>   drivers/accel/amdxdna/amdxdna_ctx.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c
> index d17aef89a0ad..cf4d3af67bf7 100644
> --- a/drivers/accel/amdxdna/amdxdna_ctx.c
> +++ b/drivers/accel/amdxdna/amdxdna_ctx.c
> @@ -104,7 +104,10 @@ void *amdxdna_cmd_get_payload(struct amdxdna_gem_obj *abo, u32 *size)
>   
>   	if (size) {
>   		count = FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header);
> -		if (unlikely(count <= num_masks)) {
> +		if (unlikely(count <= num_masks ||
> +			     count * sizeof(u32) +
> +			     offsetof(struct amdxdna_cmd, data[0]) >
> +			     abo->mem.size)) {
>   			*size = 0;
>   			return NULL;
>   		}

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.