Hi Rob,
On Mon, 11 Aug 2025 at 22:05, Rob Herring (Arm) <r...@kernel.org> wrote:
> +static int ethos_ioctl_submit_job(struct drm_device *dev, struct drm_file
> *file,
> + struct drm_ethos_job *job)
> +{
> + [...]
> + ejob->cmd_bo = drm_gem_object_lookup(file, job->cmd_bo);
> + cmd_info = to_ethos_bo(ejob->cmd_bo)->info;
> + if (!ejob->cmd_bo)
> + goto out_cleanup_job;
NULL deref here if this points to a non-command BO. Which is better
than wild DMA, but hey.
> + for (int i = 0; i < NPU_BASEP_REGION_MAX; i++) {
> + struct drm_gem_object *gem;
> +
> + if (job->region_bo_handles[i] == 0)
> + continue;
> +
> + /* Don't allow a region to point to the cmd BO */
> + if (job->region_bo_handles[i] == job->cmd_bo) {
> + ret = -EINVAL;
> + goto out_cleanup_job;
> + }
And here I suppose you want to check if the BO's info pointer is
non-NULL, i.e. disallow use of _any_ command BO instead of only
disallowing this job's own command BO.
(There's also a NULL deref if an invalid GEM handle is specified.)
Cheers,
Daniel
