[PATCH] accel/habanalabs: reject zero-element timestamp buffer allocation

Ziyi Guo Fri, 13 Feb 2026 09:35:41 -0800

A user can issue a DRM_IOCTL_HL_MEMORY ioctl with
op=HL_MEM_OP_TS_ALLOC and num_of_elements=0. The
allocate_timestamps_buffers() function only validates the upper bound
(> TS_MAX_ELEMENTS_NUM) but not zero, allowing num_of_elements=0 to
reach vmalloc_user(0 * sizeof(u64)), which triggers WARN_ON_ONCE(!size)
in __vmalloc_node_range().


On systems with panic_on_warn=1, this allows a local user with device
access to crash the kernel.

Add a zero check to the existing validation, matching the pattern
already present in HL_MEM_OP_ALLOC (memory.c:2214).

Fixes: 9158bf69e74f ("habanalabs: Timestamps buffers registration")
Signed-off-by: Ziyi Guo <[email protected]>
---
 drivers/accel/habanalabs/common/memory.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/accel/habanalabs/common/memory.c 
b/drivers/accel/habanalabs/common/memory.c
index 633db4bff46f..37dbb9a013bf 100644
--- a/drivers/accel/habanalabs/common/memory.c
+++ b/drivers/accel/habanalabs/common/memory.c
@@ -2176,8 +2176,9 @@ static int allocate_timestamps_buffers(struct hl_fpriv 
*hpriv, struct hl_mem_in
        struct hl_mem_mgr *mmg = &hpriv->mem_mgr;
        struct hl_mmap_mem_buf *buf;
 
-       if (args->num_of_elements > TS_MAX_ELEMENTS_NUM) {
-               dev_err(mmg->dev, "Num of elements exceeds Max allowed number 
(0x%x > 0x%x)\n",
+       if (args->num_of_elements > TS_MAX_ELEMENTS_NUM ||
+                               args->num_of_elements == 0) {
+               dev_err(mmg->dev, "Invalid num of elements %u, valid range [1, 
0x%x]\n",
                                args->num_of_elements, TS_MAX_ELEMENTS_NUM);
                return -EINVAL;
        }
-- 
2.34.1

[PATCH] accel/habanalabs: reject zero-element timestamp buffer allocation

Reply via email to