On Mon, Jun 1, 2026 at 3:44 PM Yongqiang Sun <[email protected]> wrote: > > Malformed ACPI CRAT tables can advertise a zero or undersized subtype > length. The parser then fails to advance the cursor and loops forever > while the remaining image still looks large enough for a generic header. > > Validate sub_type_hdr->length on each iteration before parsing or > advancing. Return -EINVAL and warn when length is zero or smaller than > the generic subtype header. > > Signed-off-by: Yongqiang Sun <[email protected]>
Acked-by: Alex Deucher <[email protected]> > --- > drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c > b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c > index cf7b1b038d5f..cea1dc654125 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c > @@ -1404,6 +1404,14 @@ int kfd_parse_crat_table(void *crat_image, struct > list_head *device_list, > sub_type_hdr = (struct crat_subtype_generic *)(crat_table+1); > while ((char *)sub_type_hdr + sizeof(struct crat_subtype_generic) < > ((char *)crat_image) + image_len) { > + if (!sub_type_hdr->length || > + sub_type_hdr->length < sizeof(struct > crat_subtype_generic)) { > + pr_warn("Invalid CRAT subtype length %u\n", > + sub_type_hdr->length); > + ret = -EINVAL; > + break; > + } > + > if (sub_type_hdr->flags & CRAT_SUBTYPE_FLAGS_ENABLED) { > ret = kfd_parse_subtype(sub_type_hdr, device_list); > if (ret) > -- > 2.43.0 >
