pkt_init() passes data->hdr.size directly to kvzalloc() without any upper bound check. The size field is a u64 sourced from userspace via copy_from_user() in pkt_hdr_write(), and the only validation performed by xe_sriov_packet_init_from_hdr() is a version check.
When a VFIO migration manager or debugfs writer supplies a packet header with size > INT_MAX, kvzalloc() reaches the size WARNING in __kvmalloc_node_noprof() which triggers: WARN_ON_ONCE(!(flags & __GFP_NOWARN)) This fires a kernel WARNING, taints the kernel with TAINT_WARN, and causes a panic on CONFIG_PANIC_ON_WARN=y systems. Add a size bounds check in pkt_init() before the kvzalloc() call to reject oversized packets early with -EINVAL. Signed-off-by: Ziyi Guo <[email protected]> --- drivers/gpu/drm/xe/xe_sriov_packet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_sriov_packet.c b/drivers/gpu/drm/xe/xe_sriov_packet.c index bab994696896..04483eeba11b 100644 --- a/drivers/gpu/drm/xe/xe_sriov_packet.c +++ b/drivers/gpu/drm/xe/xe_sriov_packet.c @@ -127,6 +127,9 @@ static int pkt_init(struct xe_sriov_packet *data) if (data->hdr.size == 0) return 0; + if (data->hdr.size > INT_MAX) + return -EINVAL; + if (pkt_needs_bo(data)) { struct xe_bo *bo; -- 2.34.1
