On 2/24/26 09:54, Khatri, Sunil wrote: > > On 24-02-2026 02:15 pm, Christian König wrote: >> On 2/24/26 09:24, Sunil Khatri wrote: >>> Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and >>> could be exploited. >>> >>> So check these input value against AMDGPU_USERQ_MAX_HANDLES >>> which is big enough value for genuine use cases and could >>> potentially avoid OOM. >>> >>> Signed-off-by: Sunil Khatri <[email protected]> >>> --- >>> drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 7 +++++++ >>> 1 file changed, 7 insertions(+) >>> >>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c >>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c >>> index 4f9386677c47..c2435ddfbd49 100644 >>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c >>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c >>> @@ -636,6 +636,13 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, >>> void *data, >>> if (!amdgpu_userq_enabled(dev)) >>> return -ENOTSUPP; >>> >>> + if (wait_info->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES || >>> + wait_info->num_syncobj_timeline_handles > AMDGPU_USERQ_MAX_HANDLES >>> || >>> + wait_info->syncobj_timeline_points > AMDGPU_USERQ_MAX_HANDLES || >> That here is wrong, syncobj_timeline_points is a 64bit VA pointer. > Right, but do we want to set the value to be much bigger value for this ?
No, this is not a number but only a VA. >> The number of timeline points is always the same as the number of timeline >> syncobj handles. > > So should i check only for num_syncobj_timeline_handles, or its ok to check > for both ? Checking only num_syncobj_timeline_handles is sufficient, syncobj_timeline_points should not be checked. Regards, Christian. > > Regards Sunil khatri > >> Regards, >> Christian. >> >>> + wait_info->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES || >>> + wait_info->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES) >>> + return -EINVAL; >>> + >>> num_syncobj = wait_info->num_syncobj_handles; >>> syncobj_handles = >>> memdup_array_user(u64_to_user_ptr(wait_info->syncobj_handles), >>> num_syncobj, sizeof(u32));
