[PATCH v2 12/18] dma/dpaa: fix out-of-bounds access in SG descriptor enqueue

Hemant Agrawal hemant.agrawal at nxp.com
Fri Jun 19 08:09:10 CEST 2026

Previous message (by thread): [PATCH v2 11/18] net/dpaa: fix port_handle leak in fm_prev_cleanup
Next message (by thread): [PATCH v2 13/18] net/dpaa: fix xstat name for tx undersized counter
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vanshika Shukla <vanshika.shukla at nxp.com>

In fsl_qdma_enqueue_desc_sg(), the code accesses desc_ssge[num - 1]
without validating num first. If pending_num is 0, num will be 0 and
the access underflows. Add a bounds check to return -EINVAL when num
is 0 or exceeds FSL_QDMA_SG_MAX_ENTRY.

Fixes: a77261f61245 ("dma/dpaa: support scatter-gather")
Cc: stable at dpdk.org

Signed-off-by: Vanshika Shukla <vanshika.shukla at nxp.com>
---
 drivers/dma/dpaa/dpaa_qdma.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/dpaa/dpaa_qdma.c b/drivers/dma/dpaa/dpaa_qdma.c
index 74e23d2ee5..b20ff24ab6 100644
--- a/drivers/dma/dpaa/dpaa_qdma.c
+++ b/drivers/dma/dpaa/dpaa_qdma.c
@@ -1,5 +1,5 @@
 /* SPDX-License-Identifier: BSD-3-Clause
- * Copyright 2021-2024 NXP
+ * Copyright 2021-2026 NXP
  */
 
 #include <bus_dpaa_driver.h>
@@ -827,6 +827,11 @@ fsl_qdma_enqueue_desc_sg(struct fsl_qdma_queue *fsl_queue)
 		}
 	}
 
+	if (num == 0 || num > FSL_QDMA_SG_MAX_ENTRY) {
+		DPAA_QDMA_ERR("Invalid scatter-gather entry count: num=%u", num);
+		return -EINVAL;
+	}
+
 	ft->desc_ssge[num - 1].final = 1;
 	ft->desc_dsge[num - 1].final = 1;
 	csgf_src->length = total_len;
-- 
2.43.0

Previous message (by thread): [PATCH v2 11/18] net/dpaa: fix port_handle leak in fm_prev_cleanup
Next message (by thread): [PATCH v2 13/18] net/dpaa: fix xstat name for tx undersized counter
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list