Re: [PATCH v4 4/4] drm/amdgpu: add upper bound check on user inputs in wait ioctl

Tue, 24 Feb 2026 01:04:49 -0800 


On 24-02-2026 02:26 pm, Christian König wrote:

On 2/24/26 09:54, Khatri, Sunil wrote:

On 24-02-2026 02:15 pm, Christian König wrote:

On 2/24/26 09:24, Sunil Khatri wrote:

Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and
could be exploited.

So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.

Signed-off-by: Sunil Khatri <[email protected]>
---
  drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c 
b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
index 4f9386677c47..c2435ddfbd49 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -636,6 +636,13 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void 
*data,
        if (!amdgpu_userq_enabled(dev))
                return -ENOTSUPP;

  
+	if (wait_info->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||

+           wait_info->num_syncobj_timeline_handles > AMDGPU_USERQ_MAX_HANDLES 
||
+           wait_info->syncobj_timeline_points > AMDGPU_USERQ_MAX_HANDLES ||

That here is wrong, syncobj_timeline_points is a 64bit VA pointer.

Right, but do we want to set the value to be much bigger value for this ?

No, this is not a number but only a VA.

Ah, yes i see now thats not the count. Sorry will remove that in next 
version.



The number of timeline points is always the same as the number of timeline 
syncobj handles.

So should i check only for num_syncobj_timeline_handles, or its ok to check for 
both ?

Checking only num_syncobj_timeline_handles is sufficient, 
syncobj_timeline_points should not be checked.


Got it, will get that removed.

Regards
Sunil Khatri



Regards,
Christian.


Regards Sunil khatri


Regards,
Christian.


+           wait_info->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+           wait_info->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+               return -EINVAL;
+
        num_syncobj = wait_info->num_syncobj_handles;
        syncobj_handles = 
memdup_array_user(u64_to_user_ptr(wait_info->syncobj_handles),
                                            num_syncobj, sizeof(u32));






















					Reply via email to