On Sat, May 23, 2026 at 07:51:59PM +0000, Muhammad Bilal wrote:
> NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
> a maximum value of 127. However region_size[] and output_region[] in
> struct ethosu_validated_cmdstream_info are both sized to
> NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].
>
> Every other region assignment in the same switch uses param & 0x7:
> NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
> NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
> NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
> NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;
>
> The 0x7f mask on IFM is inconsistent and appears to be a typo.
>
> feat_matrix_length() and calc_sizes() use the region index directly
> as an array subscript into the kzalloc'd info struct:
> info->region_size[fm->region] = max(...);
>
> A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
> a write up to 127*8 = 1016 bytes past the start of region_size[],
> corrupting adjacent kernel heap data.
>
> Fix by applying the same & 0x7 mask used by all other region
> assignments.
>
> Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
> Cc: [email protected]
> Signed-off-by: Muhammad Bilal <[email protected]>
> ---
> drivers/accel/ethosu/ethosu_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I've applied this and the rest of the patches you sent.
Rob
