The kfd_wait_on_events ioctl passes a user-supplied num_events parameter directly to alloc_event_waiters() which calls kcalloc() without validation. This allows unprivileged users with /dev/kfd access to trigger large kernel memory allocations, potentially causing memory exhaustion and denial of service via the OOM killer.
Add a check to reject num_events values exceeding KFD_SIGNAL_EVENT_LIMIT (4096), which is the maximum number of events a single process can create. Signed-off-by: Sunday Clement <[email protected]> --- drivers/gpu/drm/amd/amdkfd/kfd_events.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c index e9be798c0a2b..83edc4af77b5 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c @@ -799,7 +799,8 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events) { struct kfd_event_waiter *event_waiters; uint32_t i; - + if (num_events > KFD_SIGNAL_EVENT_LIMIT) + return NULL; event_waiters = kcalloc(num_events, sizeof(struct kfd_event_waiter), GFP_KERNEL); if (!event_waiters) -- 2.43.0
