[PATCH v2] drm/amdgpu: check a user-provided number of BOs in list

Christian König christian.koenig at amd.com
Mon Apr 28 14:53:32 UTC 2025 

On 4/24/25 15:40, Alex Deucher wrote:
> On Wed, Apr 23, 2025 at 10:29 AM Christian König
> <christian.koenig at amd.com> wrote:
>>
>> On 4/22/25 18:26, Deucher, Alexander wrote:
>>> [Public]
>>>
>>>> -----Original Message-----
>>>> From: Alex Deucher <alexdeucher at gmail.com>
>>>> Sent: Tuesday, April 22, 2025 9:46 AM
>>>> To: Koenig, Christian <Christian.Koenig at amd.com>
>>>> Cc: Denis Arefev <arefev at swemel.ru>; Deucher, Alexander
>>>> <Alexander.Deucher at amd.com>; David Airlie <airlied at gmail.com>; Simona Vetter
>>>> <simona at ffwll.ch>; Andrey Grodzovsky <andrey.grodzovsky at amd.com>;
>>>> Chunming Zhou <david1.zhou at amd.com>; amd-gfx at lists.freedesktop.org; dri-
>>>> devel at lists.freedesktop.org; linux-kernel at vger.kernel.org; lvc-
>>>> project at linuxtesting.org; stable at vger.kernel.org
>>>> Subject: Re: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in list
>>>>
>>>> Applied.  Thanks!
>>>
>>> This change beaks the following IGT tests:
>>>
>>> igt at amdgpu/amd_vcn at vcn-decoder-create-decode-destroy@vcn-decoder-create
>>> igt at amdgpu/amd_vcn at vcn-decoder-create-decode-destroy@vcn-decoder-decode
>>> igt at amdgpu/amd_vcn at vcn-decoder-create-decode-destroy@vcn-decoder-destroy
>>> igt at amdgpu/amd_jpeg_dec at amdgpu_cs_jpeg_decode
>>> igt at amdgpu/amd_cs_nop at cs-nops-with-nop-compute0@cs-nop-with-nop-compute0
>>> igt at amdgpu/amd_cs_nop at cs-nops-with-sync-compute0@cs-nop-with-sync-compute0
>>> igt at amdgpu/amd_cs_nop at cs-nops-with-fork-compute0@cs-nop-with-fork-compute0
>>> igt at amdgpu/amd_cs_nop at cs-nops-with-sync-fork-compute0@cs-nop-with-sync-fork-compute0
>>> igt at amdgpu/amd_basic at userptr-with-ip-dma@userptr
>>> igt at amdgpu/amd_basic at cs-compute-with-ip-compute@cs-compute
>>> igt at amdgpu/amd_basic at cs-sdma-with-ip-dma@cs-sdma
>>> igt at amdgpu/amd_basic at eviction-test-with-ip-dma@eviction_test
>>> igt at amdgpu/amd_cp_dma_misc at gtt_to_vram-amdgpu_hw_ip_compute0
>>> igt at amdgpu/amd_cp_dma_misc at vram_to_gtt-amdgpu_hw_ip_compute0
>>> igt at amdgpu/amd_cp_dma_misc at vram_to_vram-amdgpu_hw_ip_compute0
>>
>>
>> Could it be that we used BO list with zero entries for those?
> 
> Yes.  Dropping the 0 check fixed them.  E.g.,
> 
> +       if (in->bo_number > USHRT_MAX)
> +               return -EINVAL;


Feel free to keep my rb on that version as well.

Christian.

> 
> Alex
> 
>>
>> Christian.
>>
>>>
>>> Alex
>>>
>>>>
>>>> On Tue, Apr 22, 2025 at 5:13 AM Koenig, Christian <Christian.Koenig at amd.com>
>>>> wrote:
>>>>>
>>>>> [AMD Official Use Only - AMD Internal Distribution Only]
>>>>>
>>>>> Reviewed-by: Christian König <christian.koenig at amd.com>
>>>>>
>>>>> ________________________________________
>>>>> Von: Denis Arefev <arefev at swemel.ru>
>>>>> Gesendet: Freitag, 18. April 2025 10:31
>>>>> An: Deucher, Alexander
>>>>> Cc: Koenig, Christian; David Airlie; Simona Vetter; Andrey Grodzovsky;
>>>>> Chunming Zhou; amd-gfx at lists.freedesktop.org;
>>>>> dri-devel at lists.freedesktop.org; linux-kernel at vger.kernel.org;
>>>>> lvc-project at linuxtesting.org; stable at vger.kernel.org
>>>>> Betreff: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in
>>>>> list
>>>>>
>>>>> The user can set any value to the variable ‘bo_number’, via the ioctl
>>>>> command DRM_IOCTL_AMDGPU_BO_LIST. This will affect the arithmetic
>>>>> expression ‘in->bo_number * in->bo_info_size’, which is prone to
>>>>> overflow. Add a valid value check.
>>>>>
>>>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>>>>
>>>>> Fixes: 964d0fbf6301 ("drm/amdgpu: Allow to create BO lists in CS ioctl
>>>>> v3")
>>>>> Cc: stable at vger.kernel.org
>>>>> Signed-off-by: Denis Arefev <arefev at swemel.ru>
>>>>> ---
>>>>> V1 -> V2:
>>>>> Set a reasonable limit 'USHRT_MAX' for 'bo_number' it as Christian
>>>>> König <christian.koenig at amd.com> suggested
>>>>>
>>>>>  drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 3 +++
>>>>>  1 file changed, 3 insertions(+)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> index 702f6610d024..85f7ee1e085d 100644
>>>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> @@ -189,6 +189,9 @@ int amdgpu_bo_create_list_entry_array(struct
>>>> drm_amdgpu_bo_list_in *in,
>>>>>         struct drm_amdgpu_bo_list_entry *info;
>>>>>         int r;
>>>>>
>>>>> +       if (!in->bo_number || in->bo_number > USHRT_MAX)
>>>>> +               return -EINVAL;
>>>>> +
>>>>>         info = kvmalloc_array(in->bo_number, info_size, GFP_KERNEL);
>>>>>         if (!info)
>>>>>                 return -ENOMEM;
>>>>> --
>>>>> 2.43.0
>>>>>
>>

More information about the amd-gfx mailing list