From: Rob Herring <robh@kernel.org>
To: Muhammad Bilal <meatuni001@gmail.com>
Cc: tomeu@tomeuvizoso.net, ogabbay@kernel.org, tzimmermann@suse.de,
Frank.Li@nxp.com, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] accel/ethosu: fix IFM region index out-of-bounds in command stream parser
Date: Thu, 4 Jun 2026 22:09:10 -0500 [thread overview]
Message-ID: <20260605030910.GA1800024-robh@kernel.org> (raw)
In-Reply-To: <20260523195159.55801-1-meatuni001@gmail.com>
On Sat, May 23, 2026 at 07:51:59PM +0000, Muhammad Bilal wrote:
> NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
> a maximum value of 127. However region_size[] and output_region[] in
> struct ethosu_validated_cmdstream_info are both sized to
> NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].
>
> Every other region assignment in the same switch uses param & 0x7:
> NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
> NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
> NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
> NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;
>
> The 0x7f mask on IFM is inconsistent and appears to be a typo.
>
> feat_matrix_length() and calc_sizes() use the region index directly
> as an array subscript into the kzalloc'd info struct:
> info->region_size[fm->region] = max(...);
>
> A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
> a write up to 127*8 = 1016 bytes past the start of region_size[],
> corrupting adjacent kernel heap data.
>
> Fix by applying the same & 0x7 mask used by all other region
> assignments.
>
> Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
> ---
> drivers/accel/ethosu/ethosu_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I've applied this and the rest of the patches you sent.
Rob
prev parent reply other threads:[~2026-06-05 3:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 19:51 [PATCH] accel/ethosu: fix IFM region index out-of-bounds in command stream parser Muhammad Bilal
2026-06-05 3:09 ` Rob Herring [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605030910.GA1800024-robh@kernel.org \
--to=robh@kernel.org \
--cc=Frank.Li@nxp.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=meatuni001@gmail.com \
--cc=ogabbay@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomeu@tomeuvizoso.net \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.