From nobody Sun May 24 18:41:11 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DA4B27F4F5 for ; Sun, 24 May 2026 10:37:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779619042; cv=none; b=M1jSCQVRYkKG5dnvuXXWesz3MZ3GA8t8R0PX8vwA3brsAYN3JEE8U/F8I9u4ezff+dd9ecuzIvT2yvQupcRCDtFDNeel91SehuZMn0MaKKuQuKKpVI5MLpbF/9C1UZ55hR3yHDfAUH1kEGp1ct2Te8nviLn8SgZtRGjjSe2sZpE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779619042; c=relaxed/simple; bh=5BBjvwH1SFC1IbOlD3lNfjrYB8x4Ns4FSb7De3zt/1U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ieyZw+tcapLKfUjt1P8EFY5hKYYXfoySjJ5VSEL11mdVpNZW9NhZRmnnwLpBWZlRzHbEut12aAePrGjdM4eev/an53MJBLcDGGmK2am+jH4e05gtSehaa8IzSmbNhMLtKHnYDYquKStDzsejnvp8z2NbgrRbxBu9Qm6LYhogh1c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=n+QY/xP3; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="n+QY/xP3" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-834f1075805so6789390b3a.2 for ; Sun, 24 May 2026 03:37:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779619040; x=1780223840; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Srn/gFRHpPCBsHxpWI/ceV1wqLaO51KjDzwp1tS24PQ=; b=n+QY/xP3wPEsr+lmySllIiUoz7fw+NyTBXlkOD2GMhxwwVeFNq/vzS46A6OD64nL12 Hog9Rg6HVt22wXJvjUINDGVa844rdNg80ngnVg9yXrrcZMLl4ZMWjHXzubscIXy9av6y cpAgnKGJmlflrG0Lkvn51j+cNmWpJRo/92q4kOEzXvKyYnPrbZrHdO6MQAdjY6NUIjoo ds8L0PudzRQQAy6Y3TMdPQdHhfGk80i5BuGQSMEhqnb9bZIa1+D+2nthmels9RV8UrBp T6kZZfomFBjwG8KZo5dS4MyNvnfGwhDP+Qe1Fm0lllW0CJzBgSHcIn/0LEerA7VOA8Ws APXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779619040; x=1780223840; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Srn/gFRHpPCBsHxpWI/ceV1wqLaO51KjDzwp1tS24PQ=; b=Z9NLZOmvQ9LAVnTCh/M/XYCO3PAqxqA+6zdH2rFqxQZgUjo0tN2R3fwUF9jHCdlN42 d5SZokN4XitJEwsQoC+EFax7kdo+MGAEFFNvO6yG7kRRkINJd+dsqRwyPV/R6q0/gDYR Hw2ftrPV2UzUmUvkRXg51+13VRCUCHGjYoHtbtvKP3O4rcgQExqvAw9etm94EM187tCm fCnN+x0gZ7LEtyt+IscYyuHyFtbaxyhpSpRTu65FWaTbIm1/i3tvCB+e+egRNe9+ztVZ 2WjgX79StGbYw++2HxfiO4IueR3XcBhapgGXFS4H0BGR5/J/ofd9zXBVXghe0g50U24Q A4Iw== X-Forwarded-Encrypted: i=1; AFNElJ+ePpBCIBPwlLHai8QcYLrHZSgB5Ye1vTHgkp5F+zdoxY5uJdsxm1WrLtw/BsPWldDIFttK+iynSIUSORY=@vger.kernel.org X-Gm-Message-State: AOJu0Yxb4hDS6k40NyN5iRZKiqfpyFhjVpq5dhGG8wFjR5M2F2zK1lES iJy8TvOwef3EvCo3ErdnpTdUWbRe4Xyqwn0CrxwqG52FWdkb42wS1T1efdwCuP1RP0vQrg== X-Gm-Gg: Acq92OGmqVes3G5ymC7IFae45jDDsai5hzxfQdM9F4ezdcohy+4zJ9e8hNlfkDFB5jK irjXLtCbMQseQZbSIwF53fDFErIPsgvrOG1djsoVVOMo2puStysoqPHHmihuVlj4do+T++JjDml l8GOp6DX4t/9S02VRZAbKe9q0LKMiLs0E4gBUdlLnuAlnukhBVJIqxbVg9aADcbJwIsLes4Cjqh 1EmkFsgf1MEZ7fH68cQF6KFv9rTs9XIP/YoBp6ZDzeo3o8+BePJi70pI2gMeh5SAVapS8JxEX9j g782VJQNrMd2M1imkHdF4Gtje50inWaXgP4m9gFSTZuzUADEErHAFxdIq9XnYdfIgMa1hiJM7Ev JnWE+RJD95oMrN0aobavrCizoq3xJUlTuaVhTvSN8ctGQh2AIMEWAjdGzA3qD5hvtiooer8X6+o KwLCkvX4PjOFXXaIzcnB/uXjZqsFrioyqsx8gFWB6RlSiaAaqGspGrgWPEOsJLJxFNighpaZzNj GczE++CbqfNfUGfHUdCy/3E/OkHL67dxdKMjqt53f5+UpHWxb2wpbg6kTUXDb11wRTirrZHAu8M d+83VBMfX5o= X-Received: by 2002:a05:6a00:4f94:b0:83d:b11f:796c with SMTP id d2e1a72fcca58-8415f3d3adbmr10063728b3a.49.1779619040399; Sun, 24 May 2026 03:37:20 -0700 (PDT) Received: from codespaces-78f0a7.dxrpqgqhlb3ehogrxrezr215ye.rx.internal.cloudapp.net ([20.192.21.56]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164afe338sm6763005b3a.18.2026.05.24.03.37.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 May 2026 03:37:19 -0700 (PDT) From: Muhammad Bilal To: robh@kernel.org Cc: tomeu@tomeuvizoso.net, ogabbay@kernel.org, tzimmermann@suse.de, Frank.Li@nxp.com, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH v3] accel/ethosu: fix arithmetic issues in dma_length() Date: Sun, 24 May 2026 10:37:10 +0000 Message-ID: <20260524103710.47397-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260524060644.106635-1-meatuni001@gmail.com> References: <20260524060644.106635-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dma_length() derives DMA region usage from command stream values and updates region_size[]: len =3D ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] =3D max(..., len + dma->offset) Several arithmetic issues can corrupt the derived region size: - signed stride values may underflow when added to len - intermediate multiplications may overflow - len + dma->offset may overflow during region_size updates - dma_length() error returns were not validated by the caller region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation. Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller. Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- v3: - add check_add_overflow() for len + dma->offset - validate dma_length() return value in caller - rework commit message to avoid unproven claims v2: - add negative stride underflow checks before each addition - replace unchecked multiplications with check_mul_overflow() drivers/accel/ethosu/ethosu_gem.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/accel/ethosu/ethosu_gem.c b/drivers/accel/ethosu/ethos= u_gem.c index 5a02285a4986..8e95539da98f 100644 --- a/drivers/accel/ethosu/ethosu_gem.c +++ b/drivers/accel/ethosu/ethosu_gem.c @@ -2,6 +2,7 @@ /* Copyright 2025 Arm, Ltd. */ =20 #include +#include #include =20 #include @@ -164,16 +165,26 @@ static u64 dma_length(struct ethosu_validated_cmdstre= am_info *info, u64 len =3D dma->len; =20 if (mode >=3D 1) { + if (dma->stride[0] < 0 && (u64)(-dma->stride[0]) > len) + return U64_MAX; len +=3D dma->stride[0]; - len *=3D dma_st->size0; + if (check_mul_overflow(len, (u64)dma_st->size0, &len)) + return U64_MAX; } if (mode =3D=3D 2) { + if (dma->stride[1] < 0 && (u64)(-dma->stride[1]) > len) + return U64_MAX; len +=3D dma->stride[1]; - len *=3D dma_st->size1; + if (check_mul_overflow(len, (u64)dma_st->size1, &len)) + return U64_MAX; + } + if (dma->region >=3D 0) { + u64 end; + + if (check_add_overflow(len, dma->offset, &end)) + return U64_MAX; + info->region_size[dma->region] =3D max(info->region_size[dma->region], e= nd); } - if (dma->region >=3D 0) - info->region_size[dma->region] =3D max(info->region_size[dma->region], - len + dma->offset); =20 return len; } @@ -397,6 +408,8 @@ static int ethosu_gem_cmdstream_copy_and_validate(struc= t drm_device *ddev, case NPU_OP_DMA_START: srclen =3D dma_length(info, &st.dma, &st.dma.src); dstlen =3D dma_length(info, &st.dma, &st.dma.dst); + if (srclen =3D=3D U64_MAX || dstlen =3D=3D U64_MAX) + return -EINVAL; =20 if (st.dma.dst.region >=3D 0) info->output_region[st.dma.dst.region] =3D true; --=20 2.53.0