From nobody Sun May 24 18:41:13 2026 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B4B82F7EE7 for ; Sun, 24 May 2026 05:18:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779599918; cv=none; b=hK3QCSOsRI8i74qH7HmZmpoCBZ6wKwvp966yfpiYe63Q6H0j3llgohynlEbOqcM63koKGYuh75/zczT4F1MkyLixR5rXvj4bWBNfCnXTP9pg5g6gdNRcP9ZR7eQq+ymHc4qkUDJrMVK197izOxFd+lPT11nGhtOKbu3QyGRXT+k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779599918; c=relaxed/simple; bh=74V5/qnX5ZiqaQXKLlwAmqpBz8ey/SBUPUeXRx6fKqQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WfqH31cbIY43noioeUGUsAetfx8ZVaE+hDNl6dFYU5yeLVoDGwFbnNa/XtxkoPBK4SoVKk3SmIGNIc2eTKf+P8QfCYTcR0E69yh+Sw+pByGhm4b9L75C7sNf1UiakuPkigGJDTqDuI/sj3jxvnJKz70ZqTDIwelSkaSgLld0a3s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ULfkOLEY; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ULfkOLEY" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2ba856db1c0so63830555ad.3 for ; Sat, 23 May 2026 22:18:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779599916; x=1780204716; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Qirud4yg6ff64Rz1Y6X2KitE2QcTgww2RA7TfD1h/wM=; b=ULfkOLEYcUu50+cm1GeyGnvClgfgUPfnkDiHD0Q0jvwmWsfEcjxzya7mnRdM6MSTfw RGAognYtxWcfbxSp79szQMKfopdqADJMdpeGy1D8IQI260JGC+WF1w2qlwgH8LJsOckS nln+UB2e3YDOxbqoKwgAxylAB4C68Bq8CZuooVFKyHvYjBoXreexXNvQeUIrytHF0UN2 +Y78lpbCVmLYDzwuX9GINc0gLOdNNDP91P+JQVfPtgwJxtY6nJoldp64/YGApbl1lfd/ egAJVOM9pRgKdat8cgyMIpGcPbkavat2E08wKSz98t+qmZHOz3V88xiiaAgYYaA3WiiT 7tDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779599916; x=1780204716; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Qirud4yg6ff64Rz1Y6X2KitE2QcTgww2RA7TfD1h/wM=; b=pmwtC7LQu14GvvHhhTKbAAyklxahXpImxsiXT/wjssL6aUDHOL8rVWhcYizlJtA4CS a8F9zWifRTOZDEL7K8YuCbvjLHAYXv1VNxOjkFamwg50qmfvLpoC6Lrqou9epN9AD3KP reM/gdYKKBPLH9MvkO1XKT+yGHRjTg0sZVL99ceVFZsdIcOZ+sVG2+HC545L0bnxnTIe a2akqASwkikJFAV0JI4xQYS/H/lfJAteQMwJsonLtTvCZ3nURz0HTXnQYwdLMEcCRKkc +gkeSIC/LEcd2AWRqpCexnnhKSdNyISXwyPf6MqdqGLzb9szWCOdO/mRaGsNIf7N6SOD +JKg== X-Forwarded-Encrypted: i=1; AFNElJ9Q1ysVBTgSHSWZCI6n3Y7PV4n7rjmyRiFjlkGsk2FWQjItJ689PtDuObabs8pW9TkEQVesCN7tV/llLCw=@vger.kernel.org X-Gm-Message-State: AOJu0Yxy4x0pVR2bOOH/JwipDlaFy0tsZM5RapG3YS1pIoYiY58tVVKW Gq0wKMwH/ptXz9n5FX/ompVpWQE2fpV1bMXrmQXEqnevCN1QdByErTPQ X-Gm-Gg: Acq92OFaP8mZpPCi8tJ4aPGC4R7lyF0N/uXT8UYiv8YTWjFb6V4pG1IaCHfFleznXPF 3omM1Smle9pcOJLRJc7Fn9LfAqet51Nx984RCKnwqYTbsl1LcuO9kTSKf2iT9GubK8gAVfSvOUj mgkFO+WMbm19uEpwt2P4soG7tAiLbXJH0gaVE6hs945nyUfCEWaLYQogSeITHbCkzNMtu384tkz 7F6WYwcAwHGWzzs2S+8g23m02oEh9Ghvb00yTs5p9xYmBmsMiy2KJlxqyGWpOf0XBdb0f/HbxC4 1QEBo6gwLxYQNCTt4BQTkDtLkiDRB2Vmcvmqk/eEsCQnWYgoRrOpmxvSwuBZSI0jvJWEPO1owau UWcbxJu2WVHg6K+kqBzGaOAKXnDMXiGm/ZPpHoXEGa16mfwq4ZqwJxaQnt6vP2dW41fXv7lOf+V betJKDL1jKlIgsZ2SONN29zXrO9IM2/20x8w81cI3L5FC3brn7cKd6qiTrBCFL1+uF+ZdtmOB87 718h1tvdQ9MLEwY41P+4JsS8qQcbMO62iirO+AnFqeyy3eJN0VP4BvtpFjzVCJJZwKINLl+EiV+ PDPAlHSM2Xrywjg= X-Received: by 2002:a17:902:f549:b0:2b2:6df1:1112 with SMTP id d9443c01a7336-2beb07757ebmr102149795ad.40.1779599916185; Sat, 23 May 2026 22:18:36 -0700 (PDT) Received: from codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net ([4.240.39.196]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb56c4f8fsm59058805ad.26.2026.05.23.22.18.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 May 2026 22:18:35 -0700 (PDT) From: Muhammad Bilal To: robh@kernel.org Cc: tomeu@tomeuvizoso.net, ogabbay@kernel.org, tzimmermann@suse.de, Frank.Li@nxp.com, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH] accel/ethosu: fix integer overflow in dma_length() Date: Sun, 24 May 2026 05:16:58 +0000 Message-ID: <20260524051659.70654-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dma_length() computes the total DMA transfer length as: len =3D ((len + stride[0]) * size0 + stride[1]) * size1 where len and stride[] are 64-bit values derived from user-supplied 40-bit command stream fields, and size0/size1 are user-supplied u16 values. The final multiplication by size1 (up to 65535) on an intermediate result that can already be ~2^55 easily exceeds 2^64, wrapping the u64 result to a small positive value. This wrapped value is then stored in info->region_size[] and compared against gem->size in ethosu_job.c: if (cmd_info->region_size[i] > gem->size) return -EOVERFLOW; A userspace caller can craft stride and size values so that the calculated length wraps to zero or a small value, passing this check while the hardware executes a DMA transfer with the original large strides, accessing memory far outside the GEM buffer. Fix by replacing the unchecked multiplications with check_mul_overflow(), returning U64_MAX on overflow. The callers of dma_length() already treat U64_MAX as an error sentinel. Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/accel/ethosu/ethosu_gem.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/accel/ethosu/ethosu_gem.c b/drivers/accel/ethosu/ethos= u_gem.c index 5a02285a4986..1f132611a6ce 100644 --- a/drivers/accel/ethosu/ethosu_gem.c +++ b/drivers/accel/ethosu/ethosu_gem.c @@ -2,6 +2,7 @@ /* Copyright 2025 Arm, Ltd. */ =20 #include +#include #include =20 #include @@ -165,11 +166,13 @@ static u64 dma_length(struct ethosu_validated_cmdstre= am_info *info, =20 if (mode >=3D 1) { len +=3D dma->stride[0]; - len *=3D dma_st->size0; + if (check_mul_overflow(len, (u64)dma_st->size0, &len)) + return U64_MAX; } if (mode =3D=3D 2) { len +=3D dma->stride[1]; - len *=3D dma_st->size1; + if (check_mul_overflow(len, (u64)dma_st->size1, &len)) + return U64_MAX; } if (dma->region >=3D 0) info->region_size[dma->region] =3D max(info->region_size[dma->region], --=20 2.53.0