[PATCH i-g-t] lib/i915: Avoid non-canonical address dereference in gem_has_relocations()

Kamil Konieczny kamil.konieczny at linux.intel.com
Wed Jun 18 15:10:30 UTC 2025 

Hi Sebastian,
On 2025-06-16 at 14:26:15 +0000, Sebastian Brzezinka wrote:
> Fix a general protection fault in igt at gem_exec_big@single caused by
> passing a non-canonical address via relocs_ptr. The test previously
> used a stack-allocated relocation entry, which resulted in an invalid
> pointer being passed to the kernel, triggering a crash.
> 
> This patch replaces the stack-allocated `reloc` with a NULL pointer,
> ensuring the kernel correctly interprets the absence of relocations and
> avoids undefined behavior.
> 
> A corresponding kernel patch to sanitize user input for relocs_ptr has
> been submitted to the i915 mailing list to further harden the interface.
> 
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11713
> 

Do we miss some igt test for this? imho kernel should not
make any oops when it is given invalid pointer to relocs
nor invalid values in relocs.
What about writing gem_bad_reloc at invalid test for it?

> Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka at intel.com>
> ---
>  lib/i915/gem_submission.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/i915/gem_submission.c b/lib/i915/gem_submission.c
> index 7d1c3970f..a03b2e369 100644
> --- a/lib/i915/gem_submission.c
> +++ b/lib/i915/gem_submission.c
> @@ -421,10 +421,10 @@ unsigned int gem_submission_measure(int i915, const intel_ctx_cfg_t *cfg,
>  
>  bool gem_has_relocations(int i915)
>  {
> -	struct drm_i915_gem_relocation_entry reloc = {};
> +	struct drm_i915_gem_relocation_entry *reloc = NULL;

Something for testing in @invalid like:

	bad_ptr = 0xffff7777f7f70000; /* or get some other pointer to kernel */
	struct drm_i915_gem_relocation_entry *reloc = bad_ptr;

>  	struct drm_i915_gem_exec_object2 obj = {
>  		.handle = gem_create(i915, 4096),
> -		.relocs_ptr = to_user_pointer(&reloc),
> +		.relocs_ptr = to_user_pointer(reloc),

One more idea:

		.relocs_ptr = bad_ptr,

Regards,
Kamil

>  		.relocation_count = 1,
>  	};
>  	struct drm_i915_gem_execbuffer2 execbuf = {
> -- 
> 2.34.1
>

More information about the igt-dev mailing list