summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSunil Khatri <sunil.khatri@amd.com>2026-02-24 09:43:09 +0300
committerAlex Deucher <alexander.deucher@amd.com>2026-02-26 00:47:17 +0300
commitfcec012c664247531aed3e662f4280ff804d1476 (patch)
treeec1d60e1ad6f97c44ef600870b02a2fb9adbac9c
parentbe267e15f99bc97cbe202cd556717797cdcf79a5 (diff)
downloadlinux-fcec012c664247531aed3e662f4280ff804d1476.tar.xz
drm/amdgpu: add upper bound check on user inputs in wait ioctl
Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. v2: squash in Srini's fix Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Diffstat
-rw-r--r--drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
index 10669a249b9f..844c2db35e4a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -635,6 +635,11 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void *data,
if (!amdgpu_userq_enabled(dev))
return -ENOTSUPP;
+ if (wait_info->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||
+ wait_info->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+ wait_info->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+ return -EINVAL;
+
num_syncobj = wait_info->num_syncobj_handles;
syncobj_handles = memdup_array_user(u64_to_user_ptr(wait_info->syncobj_handles),
num_syncobj, sizeof(u32));
generated by cgit v1.2.3 (git 2.39.0) at 2026-05-25 20:26:50 +0300