From nobody Sun May 24 17:48:10 2026 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 04A921917F0 for ; Sun, 24 May 2026 13:03:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779627811; cv=none; b=jrGiCf7BeITShYKW5X9MZfHYTN0e38EFH9YgOh2o2aJcFwWWcR+4yE2zmci8C+LWcO7yYn6VbcYG8Uz4AMTEE/3tepDQ3a8cgoVqCw5v8CMLfH5GnsqinwHcRcw+5x4nHc1rSu7wkbssl4YD3wVHbldxJtR8SfLlFxP6C53l5po= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779627811; c=relaxed/simple; bh=xSoWpgG+OctKW/Xwxy2T4BFr3tC4A+2ZzOcslwz9mRc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Rtq32Y6FgFfR5/hcR6u6PPwPtV1/89T+8bumLyQdOKZAU6x5xXNiePleC9U3j2cI5ZKKffILVSpY9bIhHK96N4EYAMBP7vS3YFLP8WsU1vryvJqKxBd5cb9HpMNy4zXFztKPN9YY8WaryL4hucPC2QKF5+U8ae/HVRRNNKGClZY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TDPejNea; arc=none smtp.client-ip=209.85.215.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TDPejNea" Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-c80227c9572so3988555a12.2 for ; Sun, 24 May 2026 06:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779627809; x=1780232609; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=kj4rwdcY67VyrdGlOu4L8pJ9Vyfha/VtjkF5I+0OLKM=; b=TDPejNeaY+e3mCHT63RFVCv2YtQQqMc9u8qQwv8+sxAxvXfZ+z+sw7dzwQjjP0lmg6 brzmJrMVvSqDiXp2SXqvIsXUImH8jbU/A37FjWLcaMbaOdUAiYaH1VVfAO5vHPKTEYb/ mT8D7+O3T9+BV+PROykvFQz9/uhRWV9hyICfWP7uqxURbZlUnBxuh9s8Hg5R6zM5HwLG mqlkYl0t+gMvNYnQmbCaoBJKmJCoccQI7DNGJVh1xuc1DrKC6G0rmNri6TBbe3tMfUKs I8lCaWjtIORqF5ZnU0YoqoEdQdJFFcQi29MgrZTQW8ehPX2SSI5wZT3vlspIKMUu6mhC 8AOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779627809; x=1780232609; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kj4rwdcY67VyrdGlOu4L8pJ9Vyfha/VtjkF5I+0OLKM=; b=jiAO007dZ+qx67fkZANPnkP6GwQ6GWp974/2xTZRhhxQq7p5ezkppbpoVVrvt5v9z2 dGYc/V5BTCbcuV2cZtrqle16qqXZCGsMJCf3jtdTh4m3HPij2GmKZLOWmiZB0LtREAX1 90kn7EeVemq0VzHXmt3PUL9MqyEWuUh/xjnF7rLRB0eeLx0bIBaRIt2zWLgCjuA8QIET W/9MjFGHLwQoRvkUqE7/hmeXWA0fGZIkTuaRu9I1spkUeNQI9N3Qa955Ye7u0VetpcXh XPGEmuD0Sv+ZeIPk+ZXvUxxAzEmrYEo4aMD1cfjQdnxHPeVWeKB/JGlQdehuTttUwfwu z1Og== X-Forwarded-Encrypted: i=1; AFNElJ+HHwpH5wqzl+dej9rQTKX0EI3YjKCrM87H5wcWOj65fo28wy8uDOc7mVF0XHf4glM9bIuL39xmuGI2djQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yz/r0D9xuQ3KuZY5qQMW4QaKYlxs+kHINP1u6+/4TtVAfNCl6ua VJYX3bJEAChNpHSvlbLQ8l9ZxVbs7Lpawhqs5E0HDtJev7tsT4cjwt74 X-Gm-Gg: Acq92OE7mtAXErarzCMqdxfGFxYOaiZCnvyNpPlcI2P9lGZjQmyO1R+8E4VsjIEHIbm oDrfwzQ22C6uFgE0+6HMu8Uqqo22nPIKy8zOeI2Id3NGv+mIFgDR7aI0CfjgEJ8pzNpUkxwj/vp PWDFZMaAvOKhNQi21Y0pD5jz5tT8GteskI/a4IsR178skci2jrhnEawc29Vl3PZvRcEJivM7i+f n8wpFFGDdJoQiT0i+KJPkblsgAIPXgf1vsW1XIzJsKaHjSoWb5UN9MxIs4SxZRrGHTsn6xUsz2G fKMMla857ySb6wjvdo5vFoq8JWjqAMeRFvKEL7O6z+5sDw2rULYITKUWzJJ/lPUDhMZAvZ13aOK Up8Wqi11fnqRtiIFjWwCiuxPzHAP89C9QTz7Oel5pRKdEbeIMIlEGIEKPVjXPmuLf9/LB+tuVq6 CZ04gEoLPx/FNV8nOIBt6EhFQyMxmljGnrXiXvKyS6JQlFMFddRIdcTCgqRCfrVEeAJuE4KnM7D yASfvN1cTpQ1pBbj3Hv/3x4a/sjylM1D6l+7yGGbbkguP6ZjrqWnL/ng2tHSgawM/kHKipeY2uE 6GdUsNAyvR0= X-Received: by 2002:a05:6a21:4d8d:b0:3b3:241f:66c6 with SMTP id adf61e73a8af0-3b328e504b4mr10852348637.26.1779627809312; Sun, 24 May 2026 06:03:29 -0700 (PDT) Received: from codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net ([4.240.39.193]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c8520560ff8sm5759610a12.24.2026.05.24.06.03.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 May 2026 06:03:28 -0700 (PDT) From: Muhammad Bilal To: robh@kernel.org Cc: tomeu@tomeuvizoso.net, ogabbay@kernel.org, tzimmermann@suse.de, Frank.Li@nxp.com, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH] accel/ethosu: reject DMA commands with uninitialized length Date: Sun, 24 May 2026 13:03:19 +0000 Message-ID: <20260524130319.12747-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 =3D=3D 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses. Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields. Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/accel/ethosu/ethosu_gem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/accel/ethosu/ethosu_gem.c b/drivers/accel/ethosu/ethos= u_gem.c index 8e95539da98f..3401883e207f 100644 --- a/drivers/accel/ethosu/ethosu_gem.c +++ b/drivers/accel/ethosu/ethosu_gem.c @@ -164,6 +164,9 @@ static u64 dma_length(struct ethosu_validated_cmdstream= _info *info, s8 mode =3D dma_st->mode; u64 len =3D dma->len; =20 + if (len =3D=3D U64_MAX) + return U64_MAX; + if (mode >=3D 1) { if (dma->stride[0] < 0 && (u64)(-dma->stride[0]) > len) return U64_MAX; --=20 2.53.0