From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 504E3287263 for ; Sat, 23 May 2026 20:15:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779567340; cv=none; b=B+fUuYYTnJdeyN0f6poga70O3xHrV0u4hddbBc9sVEPag5mZhqjliNXT51btXLlHw7MmfK0CW5UxpBUuUKZl73sP/xT+V016SXLYsVn7DXv/tLnJF0zdmke7tWx+RHsHhaIwrEVgYup49hNFdCknTaYl3D4SdqNL/+Q9RweURrs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779567340; c=relaxed/simple; bh=63gsm4lozyWo/LQgbMDAJ2S7yKWjAOtV2E9hWx+OomM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T25WPlYZJtE/DwIjfmZC8voJt9+RqqlLTK2Dn+qwu8JNObNkw44Tx1vftihR/NJFdVApYtTeMDGpfTsO9ycuca9B8yVdcSaYk0vWRIpnu9sJ467Jk4w5U8U1TK0Q9vPwoplKelEkglFpomroazL4WzqZbP4lTGOakJ7ZH9qj8r8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KyiItyGo; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KyiItyGo" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2ba928852a5so58575575ad.1 for ; Sat, 23 May 2026 13:15:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779567337; x=1780172137; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=63gsm4lozyWo/LQgbMDAJ2S7yKWjAOtV2E9hWx+OomM=; b=KyiItyGoievqHsYKBOjvaVjVY9QyRkfGZy4z8vaUXQbc4EhcGCUpbCGMjLQ7lsrzWu RUz9EZdeJWqlb6Gz2Rg9sna3KMtu3MiQIDbPAQg/VWuzJdt3OokdEHpTi2BZMVnhbwRk I6cHFSgRH4Vevjuh4eNs+9gPTOr2C3JFNztLYjLGgtUmjFcmZLTsT77FvbUgO3KvK4dX f7kMW725CChFIYzHQTKVe9slcFFW3PRdYr0W+A40X1KrM5Oy0UdfcGlixqynbXkfux1O piO1QtwYuRghI5P46A6HL0d5/+A04RXwGLnnY4mp30USsQsdDGbegWIPLlasF7w7dBf3 VuCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779567337; x=1780172137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=63gsm4lozyWo/LQgbMDAJ2S7yKWjAOtV2E9hWx+OomM=; b=l/tzn3vUyBMPksLFVhRQRsklHGu+VdW6GUUsFIrOV4BqNbF/oZGMJkGt3dQdC+z/gg mDptdoqAwzLGluFf/x5ZaF+o4Fn3r0xqd2DBmgZGuJc0BamvRMntIp7+BP3Z6D8tkhwZ 71FvGtuwo/wYr0Pv191Y9Ovn2moKe+I5tjN+JGF4A3ayxMdhxcrRjxBLg44s3QcPCPA8 DTzld0kxf6k9R2surHOHAQ25VM0aWXf3C7OY8lxuwLLdii5h7xEdiFem/h12Y1iWA/ai X+pRghYfYH4A0zA5Mbm8bDQHkVoUwt2e/6TgKjpo1bmEf5XM+Rbkj/3MsVO0hfQVCQ/F uzhQ== X-Forwarded-Encrypted: i=1; AFNElJ/ux2inPA4Lg8cu9T1fWOLMn1Rd6zvxaDErIucgDkSEnhDp7/WLj3VtgDZgYedSjZM7KmAHDY+rdZVfF2o=@vger.kernel.org X-Gm-Message-State: AOJu0YxBg+61aYa/CkYL78Z0ZNIFRT4UmhdcgbHBTqkbXmr+N6oGuUw5 t8t7De17mFFINydnLLHSoKW+RsmH20S6jeOmR3J1/FN5awzJeTrhA7Vi48gVhZyo0dc= X-Gm-Gg: Acq92OGiLgyoEXV7RcRdT6Di94cCGaIwfL+orMDi9UzeOUkaTjJqtBvKuLYH7FobtbC fyJ7ckDzxXb34cuTZQCeJcF73wJ7nd17hp1XA5baYjRJH61lwI0o3I827EQM5cg0OvkWGygGkuf w/brU/zev4mrlAsOkU2Y9NRoVWY7Jl/T57C2gdt9frb6N4nYXrNGFbn0qxpJnlX8nKTSIxDg+T3 /Diq+f23rjPUDDDvEfqJSmpXnobCHkFLvEQ3cHrzSeQsrcDqXACd8mLcTROXAmoyJtNLzk0vB+1 4kiS/RUxpdKvHqMpENiIi9AgCDUEZBc5whhg4RPysPajKQ+oGBZ0crh20BNHaZ3aBzRoqRHVAVQ nfah2Q7f05vVPqUvGDBfeGJgpwLq5lR1ndtOTOOUUu5ILZCwV22yOMsTWjMhgSjuhjcbY+TrCz+ 9nPFeS38wxKTJxjVYDTrdlNwYtZ08qDIwI1qostZQvhbc2kjGWcMl5wRcRjLKN3w/S9KXvqUrPi zFYjf/rO6Uro+JXH5qq9LECh3g/yh7OCjS8HoUvuLIcOaPaA/P1Lfr5rRM+yBjUnYPOOYfQ2Omu yd/ery1LHZs= X-Received: by 2002:a17:902:cf08:b0:2b7:aa20:3c61 with SMTP id d9443c01a7336-2beb083ee1fmr89812565ad.33.1779567337013; Sat, 23 May 2026 13:15:37 -0700 (PDT) Received: from codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net ([4.240.39.195]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb5695a40sm47957545ad.17.2026.05.23.13.15.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 May 2026 13:15:36 -0700 (PDT) From: Muhammad Bilal To: robh@kernel.org Cc: tomeu@tomeuvizoso.net, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() Date: Sat, 23 May 2026 20:14:44 +0000 Message-ID: <20260523201444.66197-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260523190843.33977-1-meatuni001@gmail.com> References: <20260523190843.33977-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit While reviewing the command stream parser further, I noticed that weight[1..3] and scale[1] have their base and length parsed but no corresponding WEIGHT1_REGION/SCALE1_REGION commands exist in the UAPI. After cmd_state_init() memsets the state to 0xff, their .region field stays 0xff and is never assigned, so calc_sizes() never updates region_size[] with their extents. The job submission in ethosu_job.c validates region_size[i] <= gem->size, but since secondary weights never wrote into region_size[], a userspace caller could supply large base+length values for weight[1..3] or scale[1] that exceed the GEM buffer without the kernel catching it. Does the hardware specification guarantee that weight[1..3] and scale[1] are always sub-offsets within weight[0]'s region, or can they reference memory independently? If the latter, should their extents be validated against region_size[weight[0].region] in calc_sizes()? Muhammad Bilal