AMD General ping
> -----Original Message----- > From: Clement, Sunday <[email protected]> > Sent: Tuesday, May 19, 2026 10:18 AM > To: [email protected] > Cc: Deucher, Alexander <[email protected]>; Kasiviswanathan, > Harish <[email protected]>; Clement, Sunday > <[email protected]> > Subject: [PATCH] drm/amdkfd: Add bounds check for > AMDKFD_IOC_WAIT_EVENTS > > The kfd_wait_on_events ioctl passes a user-supplied num_events parameter > directly to alloc_event_waiters() which calls kcalloc() without validation. > This allows unprivileged users with /dev/kfd access to trigger large kernel > memory allocations, potentially causing memory exhaustion and denial of > service via the OOM killer. > > Add a check to reject num_events values exceeding > KFD_SIGNAL_EVENT_LIMIT (4096), which is the maximum number of events a > single process can create. > > Signed-off-by: Sunday Clement <[email protected]> > --- > drivers/gpu/drm/amd/amdkfd/kfd_events.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c > b/drivers/gpu/drm/amd/amdkfd/kfd_events.c > index e9be798c0a2b..83edc4af77b5 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c > @@ -799,7 +799,8 @@ static struct kfd_event_waiter > *alloc_event_waiters(uint32_t num_events) { > struct kfd_event_waiter *event_waiters; > uint32_t i; > - > + if (num_events > KFD_SIGNAL_EVENT_LIMIT) > + return NULL; > event_waiters = kcalloc(num_events, sizeof(struct kfd_event_waiter), > GFP_KERNEL); > if (!event_waiters) > -- > 2.43.0
