From nobody Sun May 24 18:41:13 2026
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 296BC30FF05
	for <linux-kernel@vger.kernel.org>; Sat, 23 May 2026 19:52:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779565941; cv=none;
 b=bBoHEhSl6N85bof3E8zQq8OkK0Io3pONgPdK17TDOXpZxE7i7dd2PD6rC8qVJNlD6FB/qIsnnEWigxpqXyHiv9JpNlU8Re8cK8TJKhQcNMBfIG0icPsoNUpw2ZAaqEAK28kVsBSQv2FIepG87u+9z7LQFykVer/eJfRDUJ4v8F0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779565941; c=relaxed/simple;
	bh=Z3QflqX9mFs0gI1YMsicKWkDud29jtr5BUo6DFIcgr0=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=I5PRTt4uMOVXRbZCw2MwJ98urwuKnCguyC1MYGsiThwwVOy9ceatHOpIhMAhvlT/9NE0KpSzb45Jgdhe42FI0pWa7Mb7nDes1TE67g+61kqhrcUU8GLJ3rnSl1iKgXVJ5Jg6OdhvWPpqyN8K+BHV6lqKBkwQGKHitK0mrJp/XuI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Aj5/IQqD; arc=none smtp.client-ip=209.85.216.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Aj5/IQqD"
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-3660ab73adbso5995370a91.1
        for <linux-kernel@vger.kernel.org>;
 Sat, 23 May 2026 12:52:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779565939; x=1780170739;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=lWrWJYufhREX3pTpYqP+nOLGz+ztZIkOJ8+XyiCxrpo=;
        b=Aj5/IQqDk+q9eesVuy8VRVmVqCzodHA5Pd6iDcTksGkcP10eC3HkAzFFp8zfw6z4v5
         lGhwbj87DlpHRESU6nxq/uKYmlQ2IVOz8SNMHJE61kUAjH4ZalpcCU/s7lS70bE+ZwZ1
         0H9EBjhAqtMtE6eTBgIoWZK5XDS0hN1DXevOjV+aC/ujOwLow27g/7qNhw/rDx9sr7TT
         uwMfDsyB4mHNYqdnuu3sPxGv1QkIBT7dDxUEl/2gg5E4vLDz2NZ5MJtYZ4MYHe+lTn4+
         m5KJKU1Hrt9WJg36ZZl2aPX6hCtW9c7QtLLEqvRNuPFX7QzWsGdkf1L9S+mLeBlfGo49
         mK9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779565939; x=1780170739;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lWrWJYufhREX3pTpYqP+nOLGz+ztZIkOJ8+XyiCxrpo=;
        b=I86DN4UUHAucVgxunJp7QmjeNfqqu5O0McztunNeLWmgmeLe9ll9C3hC+0yIl5j6Rk
         HJugU1FJZAnarJXvvABrVT6g6zEIiKKCVQNOd0QTN6CQR0uhB3BtbEJWSV2YzY+Eoytn
         pRWCM9S9C+9CQ7I9IFCwl45iAEgp8sAnF2/siIuwQvwFGe2nJkPVN06XNLO9leProFlv
         rNc1z5oZpsIIEUYGCz5baQBmcPyUznL8yvy7QJGl/v0oh6RBOLm2SScg+MS72V1A3gkE
         y2bCmi4acGhIHC6Yf5BtRPzAn+qIn69FeCFGlazAL1x+x7t6nO6DCoYvJ698Uxin5UZq
         YE6w==
X-Forwarded-Encrypted: i=1;
 AFNElJ/WTvXK+l4TEd4zRewChkTL/QYIuGyI0BkQ7mdUWDUWFFxHuyZyyx4dX7E42Wq5zn6jjcetZo1N9vKYkJQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YwOZpz7cx+eV7GD9iv5IBnqP8fT2ylbvbft/1+LrNMvyjXHz0Ro
	tq+XgQ/mPTgDn2h0xkinlUkJ7POaln41KcZyViQpjLAkqjdCobJl6Zw2
X-Gm-Gg: Acq92OEC94z+voRpC3SOjpvc9N+20cLsIsUtMk2506O56L3NF5fCDwxRirYlrscIZ6/
	a+zZ5935jZ4ynKiOjg8Sq1LR8lIAbsPAFg9IpE2n1LdZ/fr85IxsmcWWsYvDSKRuR6MMzK+ZYmi
	Mr3+dDrtB7aDgEK1pxPrKYiuzrEqdEN3e/o61EMK7eTpBsfd/ay3oNeJtXHaiOqf9Xf3kOuwPYU
	MFxyagOCjnZYLrgd79Da839o3Q4oXBMQ1ZdeSWektHa+zkRQWW52NhBbidp+wxcDVDe/yeJeTwA
	nuxQA7cRA0ZSY0xQHX6ZZM1eN7N03ulIOBloWfk+gtAKe5eAo5euj7j/r72mZLQjs7ZvROCNXBc
	1PDItxhHZ0DpM4BZZc+mO8E3hK/z6qnDA0rZlirPo8lPlVpoLsUWpeEIPHRoczLlE0ecjuB1UXe
	gvt6oPu7rT1oU/RS7lSp2j5LmJhzwKnUhbuzoZTG3nSbh8uqoM//fhb/d8KQZSGn/KMk5Nu2RIp
	RH4pfBUaqyumlrNtZ0P3eO4Qz+5D6Yerx/wuuS6HAPk2bYiXJozK9eTeaNDy8qY28DBj/76gbcH
	5n2mqo3wGso98/1oqxHnjw==
X-Received: by 2002:a17:90b:1d44:b0:369:7944:d723 with SMTP id
 98e67ed59e1d1-36a6bb5a6bfmr5964578a91.4.1779565939265;
        Sat, 23 May 2026 12:52:19 -0700 (PDT)
Received: from
 codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net
 ([4.240.39.195])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36a7212aa06sm2993459a91.3.2026.05.23.12.52.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 23 May 2026 12:52:17 -0700 (PDT)
From: Muhammad Bilal <meatuni001@gmail.com>
To: robh@kernel.org
Cc: tomeu@tomeuvizoso.net,
	ogabbay@kernel.org,
	tzimmermann@suse.de,
	Frank.Li@nxp.com,
	dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Muhammad Bilal <meatuni001@gmail.com>
Subject: [PATCH] accel/ethosu: fix IFM region index out-of-bounds in command
 stream parser
Date: Sat, 23 May 2026 19:51:59 +0000
Message-ID: <20260523195159.55801-1-meatuni001@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].

Every other region assignment in the same switch uses param & 0x7:
  NPU_SET_OFM_REGION:  st.ofm.region  =3D param & 0x7;
  NPU_SET_IFM2_REGION: st.ifm2.region =3D param & 0x7;
  NPU_SET_WEIGHT_REGION: st.weight[0].region =3D param & 0x7;
  NPU_SET_SCALE_REGION:  st.scale[0].region  =3D param & 0x7;

The 0x7f mask on IFM is inconsistent and appears to be a typo.

feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
  info->region_size[fm->region] =3D max(...);

A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
a write up to 127*8 =3D 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.

Fix by applying the same & 0x7 mask used by all other region
assignments.

Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
 drivers/accel/ethosu/ethosu_gem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/accel/ethosu/ethosu_gem.c b/drivers/accel/ethosu/ethos=
u_gem.c
index f526f4aedffd..80d4bc21c28f 100644
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -466,7 +466,7 @@ static int ethosu_gem_cmdstream_copy_and_validate(struc=
t drm_device *ddev,
 			st.ifm.broadcast =3D param;
 			break;
 		case NPU_SET_IFM_REGION:
-			st.ifm.region =3D param & 0x7f;
+			st.ifm.region =3D param & 0x7;
 			break;
 		case NPU_SET_IFM_WIDTH0_M1:
 			st.ifm.width0 =3D param;
--=20
2.53.0