accel/amdxdna: Validate command buffer payload count

The count field in the command header is used to determine the valid
payload size. Verify that the valid payload does not exceed the remaining
buffer space.

Fixes: aac243092b70 ("accel/amdxdna: Add command execution")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260219211946.1920485-1-lizhi.hou@amd.com

diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c
index 5173456bbb6125d4c87f5cb3444f0e78c70014f6..263d36072540451549c46184dd35e183c7c43862 100644 (file)
--- a/drivers/accel/amdxdna/amdxdna_ctx.c
+++ b/drivers/accel/amdxdna/amdxdna_ctx.c
@@ -104,7 +104,10 @@ void *amdxdna_cmd_get_payload(struct amdxdna_gem_obj *abo, u32 *size)
 
        if (size) {
                count = FIELD_GET(AMDXDNA_CMD_COUNT, cmd->header);
-               if (unlikely(count <= num_masks)) {
+               if (unlikely(count <= num_masks ||
+                            count * sizeof(u32) +
+                            offsetof(struct amdxdna_cmd, data[0]) >
+                            abo->mem.size)) {
                        *size = 0;
                        return NULL;
                }