[PATCH v2] drm/amdgpu: check a user-provided number of BOs in list

Christian König christian.koenig at amd.com
Wed Apr 23 14:29:46 UTC 2025 

On 4/22/25 18:26, Deucher, Alexander wrote:
> [Public]
> 
>> -----Original Message-----
>> From: Alex Deucher <alexdeucher at gmail.com>
>> Sent: Tuesday, April 22, 2025 9:46 AM
>> To: Koenig, Christian <Christian.Koenig at amd.com>
>> Cc: Denis Arefev <arefev at swemel.ru>; Deucher, Alexander
>> <Alexander.Deucher at amd.com>; David Airlie <airlied at gmail.com>; Simona Vetter
>> <simona at ffwll.ch>; Andrey Grodzovsky <andrey.grodzovsky at amd.com>;
>> Chunming Zhou <david1.zhou at amd.com>; amd-gfx at lists.freedesktop.org; dri-
>> devel at lists.freedesktop.org; linux-kernel at vger.kernel.org; lvc-
>> project at linuxtesting.org; stable at vger.kernel.org
>> Subject: Re: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in list
>>
>> Applied.  Thanks!
> 
> This change beaks the following IGT tests:
> 
> igt at amdgpu/amd_vcn at vcn-decoder-create-decode-destroy@vcn-decoder-create
> igt at amdgpu/amd_vcn at vcn-decoder-create-decode-destroy@vcn-decoder-decode
> igt at amdgpu/amd_vcn at vcn-decoder-create-decode-destroy@vcn-decoder-destroy
> igt at amdgpu/amd_jpeg_dec at amdgpu_cs_jpeg_decode
> igt at amdgpu/amd_cs_nop at cs-nops-with-nop-compute0@cs-nop-with-nop-compute0
> igt at amdgpu/amd_cs_nop at cs-nops-with-sync-compute0@cs-nop-with-sync-compute0
> igt at amdgpu/amd_cs_nop at cs-nops-with-fork-compute0@cs-nop-with-fork-compute0
> igt at amdgpu/amd_cs_nop at cs-nops-with-sync-fork-compute0@cs-nop-with-sync-fork-compute0
> igt at amdgpu/amd_basic at userptr-with-ip-dma@userptr
> igt at amdgpu/amd_basic at cs-compute-with-ip-compute@cs-compute
> igt at amdgpu/amd_basic at cs-sdma-with-ip-dma@cs-sdma
> igt at amdgpu/amd_basic at eviction-test-with-ip-dma@eviction_test
> igt at amdgpu/amd_cp_dma_misc at gtt_to_vram-amdgpu_hw_ip_compute0
> igt at amdgpu/amd_cp_dma_misc at vram_to_gtt-amdgpu_hw_ip_compute0
> igt at amdgpu/amd_cp_dma_misc at vram_to_vram-amdgpu_hw_ip_compute0


Could it be that we used BO list with zero entries for those?

Christian.

> 
> Alex
> 
>>
>> On Tue, Apr 22, 2025 at 5:13 AM Koenig, Christian <Christian.Koenig at amd.com>
>> wrote:
>>>
>>> [AMD Official Use Only - AMD Internal Distribution Only]
>>>
>>> Reviewed-by: Christian König <christian.koenig at amd.com>
>>>
>>> ________________________________________
>>> Von: Denis Arefev <arefev at swemel.ru>
>>> Gesendet: Freitag, 18. April 2025 10:31
>>> An: Deucher, Alexander
>>> Cc: Koenig, Christian; David Airlie; Simona Vetter; Andrey Grodzovsky;
>>> Chunming Zhou; amd-gfx at lists.freedesktop.org;
>>> dri-devel at lists.freedesktop.org; linux-kernel at vger.kernel.org;
>>> lvc-project at linuxtesting.org; stable at vger.kernel.org
>>> Betreff: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in
>>> list
>>>
>>> The user can set any value to the variable ‘bo_number’, via the ioctl
>>> command DRM_IOCTL_AMDGPU_BO_LIST. This will affect the arithmetic
>>> expression ‘in->bo_number * in->bo_info_size’, which is prone to
>>> overflow. Add a valid value check.
>>>
>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>>
>>> Fixes: 964d0fbf6301 ("drm/amdgpu: Allow to create BO lists in CS ioctl
>>> v3")
>>> Cc: stable at vger.kernel.org
>>> Signed-off-by: Denis Arefev <arefev at swemel.ru>
>>> ---
>>> V1 -> V2:
>>> Set a reasonable limit 'USHRT_MAX' for 'bo_number' it as Christian
>>> König <christian.koenig at amd.com> suggested
>>>
>>>  drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 3 +++
>>>  1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>> index 702f6610d024..85f7ee1e085d 100644
>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>> @@ -189,6 +189,9 @@ int amdgpu_bo_create_list_entry_array(struct
>> drm_amdgpu_bo_list_in *in,
>>>         struct drm_amdgpu_bo_list_entry *info;
>>>         int r;
>>>
>>> +       if (!in->bo_number || in->bo_number > USHRT_MAX)
>>> +               return -EINVAL;
>>> +
>>>         info = kvmalloc_array(in->bo_number, info_size, GFP_KERNEL);
>>>         if (!info)
>>>                 return -ENOMEM;
>>> --
>>> 2.43.0
>>>

More information about the amd-gfx mailing list