[PATCH 1/4] drm/amd/ras: bound CPER record fetch buffer size and count

Mon, 18 May 2026 01:26:24 -0700 

Limit RAS_CMD__GET_CPER_RECORD so buf_size and cper_num
from userspace cannot force unbounded kzalloc or long loops.

Signed-off-by: Candice Li <[email protected]>
---
 drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c | 4 ++++
 drivers/gpu/drm/amd/ras/rascore/ras_cmd.c             | 4 ++++
 drivers/gpu/drm/amd/ras/rascore/ras_cmd.h             | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c 
b/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c
index 7ec5287daf7f19..0a721d5d92344d 100644
--- a/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c
+++ b/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c
@@ -267,6 +267,10 @@ static int amdgpu_virt_ras_get_cper_records(struct 
ras_core_context *ras_core,
        if (!req->buf_size || !req->buf_ptr || !req->cper_num)
                return RAS_CMD__ERROR_INVALID_INPUT_DATA;
 
+       if (req->buf_size > RAS_CMD_MAX_CPER_BUF_SZ ||
+           req->cper_num > RAS_CMD_MAX_CPER_FETCH_NUM)
+               return RAS_CMD__ERROR_INVALID_INPUT_DATA;
+
        trace = kcalloc(MAX_RECORD_PER_BATCH, sizeof(*trace), GFP_KERNEL);
        if (!trace)
                return RAS_CMD__ERROR_GENERIC;
diff --git a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c 
b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c
index 4f89810d85a15e..5c812f3d984140 100644
--- a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c
+++ b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c
@@ -217,6 +217,10 @@ static int ras_cmd_get_cper_records(struct 
ras_core_context *ras_core,
        if (!req->buf_size || !req->buf_ptr || !req->cper_num)
                return RAS_CMD__ERROR_INVALID_INPUT_DATA;
 
+       if (req->buf_size > RAS_CMD_MAX_CPER_BUF_SZ ||
+           req->cper_num > RAS_CMD_MAX_CPER_FETCH_NUM)
+               return RAS_CMD__ERROR_INVALID_INPUT_DATA;
+
        buffer = kzalloc(req->buf_size, GFP_KERNEL);
        if (!buffer)
                return RAS_CMD__ERROR_GENERIC;
diff --git a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h 
b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h
index 7ea35a02898742..a1a73e6452e73d 100644
--- a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h
+++ b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h
@@ -405,6 +405,10 @@ struct batch_ras_trace_info {
 
 #define RAS_CMD_MAX_BATCH_NUM  300
 #define RAS_CMD_MAX_TRACE_NUM  300
+
+/* Upper bounds for RAS_CMD__GET_CPER_RECORD to limit kernel allocations and 
work. */
+#define RAS_CMD_MAX_CPER_FETCH_NUM     RAS_CMD_MAX_BATCH_NUM
+#define RAS_CMD_MAX_CPER_BUF_SZ        (1024U * 1024U) /* 1 MiB */
 struct ras_cmd_batch_trace_record_rsp {
        uint32_t version;
        uint16_t real_batch_num;
-- 
2.25.1

Reply via email to