WAIT ioctl input argument

Liang, Prike Tue, 24 Mar 2026 06:40:34 -0700

[Public]

It's not too much change, so ping?


Regards,
      Prike

> -----Original Message-----
> From: Liang, Prike <[email protected]>
> Sent: Monday, March 23, 2026 11:30 AM
> To: [email protected]
> Cc: Deucher, Alexander <[email protected]>; Koenig, Christian
> <[email protected]>; Liang, Prike <[email protected]>
> Subject: [PATCH] drm/amdgpu: validate SIGNAL/WAIT ioctl input argument
>
> Filter out the invalid userq emit and wait ioctl input arguments.
>
> Signed-off-by: Prike Liang <[email protected]>
> ---
>  .../gpu/drm/amd/amdgpu/amdgpu_userq_fence.c   | 27 +++++++++++++++++++
>  1 file changed, 27 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> index f93da45cfa7e..7b2700a0c0ad 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> @@ -483,6 +483,17 @@ int amdgpu_userq_signal_ioctl(struct drm_device *dev,
> void *data,
>       if (args->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
>           args->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
>               return -EINVAL;
> +     /* After the mesa allocates the input obj properly, then there
> +      * also requires filtering out the invalid obj number.
> +      */
> +     if (args->num_syncobj_handles && !args->syncobj_handles)
> +             return -EINVAL;
> +
> +     if (args->num_bo_read_handles && !args->bo_read_handles)
> +             return -EINVAL;
> +
> +     if (args->num_bo_write_handles && !args->bo_write_handles)
> +             return -EINVAL;
>
>       num_syncobj_handles = args->num_syncobj_handles;
>       syncobj_handles = memdup_array_user(u64_to_user_ptr(args-
> >syncobj_handles),
> @@ -946,6 +957,22 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void
> *data,
>           wait_info->num_bo_read_handles >
> AMDGPU_USERQ_MAX_HANDLES)
>               return -EINVAL;
>
> +     if (wait_info->num_syncobj_handles && !wait_info->syncobj_handles)
> +             return -EINVAL;
> +
> +     if (wait_info->num_syncobj_timeline_handles &&
> +         !(wait_info->syncobj_timeline_handles || wait_info-
> >syncobj_timeline_points))
> +             return -EINVAL;
> +
> +     if (wait_info->num_bo_read_handles && !wait_info->bo_read_handles)
> +             return -EINVAL;
> +
> +     if (wait_info->num_bo_write_handles && !wait_info->bo_write_handles)
> +             return -EINVAL;
> +
> +     if (!wait_info->num_fences && wait_info->out_fences)
> +             return -EINVAL;
> +
>       num_syncobj = wait_info->num_syncobj_handles;
>       ptr = u64_to_user_ptr(wait_info->syncobj_handles);
>       syncobj_handles = memdup_array_user(ptr, num_syncobj, sizeof(u32));
> --
> 2.34.1

RE: [PATCH] drm/amdgpu: validate SIGNAL/WAIT ioctl input argument

Reply via email to