From: Vanshika Shukla <[email protected]>
In fsl_qdma_enqueue_desc_sg(), the code accesses desc_ssge[num - 1]
without validating num first. If pending_num is 0, num will be 0 and
the access underflows. Add a bounds check to return -EINVAL when num
is 0 or exceeds FSL_QDMA_SG_MAX_ENTRY.
Fixes: a77261f61245 ("dma/dpaa: support scatter-gather")
Cc: [email protected]
Signed-off-by: Vanshika Shukla <[email protected]>
---
drivers/dma/dpaa/dpaa_qdma.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/dpaa/dpaa_qdma.c b/drivers/dma/dpaa/dpaa_qdma.c
index 74e23d2ee5..b20ff24ab6 100644
--- a/drivers/dma/dpaa/dpaa_qdma.c
+++ b/drivers/dma/dpaa/dpaa_qdma.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright 2021-2024 NXP
+ * Copyright 2021-2026 NXP
*/
#include <bus_dpaa_driver.h>
@@ -827,6 +827,11 @@ fsl_qdma_enqueue_desc_sg(struct fsl_qdma_queue *fsl_queue)
}
}
+ if (num == 0 || num > FSL_QDMA_SG_MAX_ENTRY) {
+ DPAA_QDMA_ERR("Invalid scatter-gather entry count: num=%u",
num);
+ return -EINVAL;
+ }
+
ft->desc_ssge[num - 1].final = 1;
ft->desc_dsge[num - 1].final = 1;
csgf_src->length = total_len;
--
2.43.0
