> The valid event ids go from 0 to signal_mapped_size / 8 > (usually 256). Whoops, meant to be "from 0 to KFD_SIGNAL_EVENT_LIMIT"
________________________________________ From: Francis, David <[email protected]> Sent: Thursday, May 28, 2026 9:17 AM To: [email protected] Cc: Francis, David Subject: [PATCH V2] drm/amdkfd: Check bounds in allocate_event_notification_slot The valid event ids go from 0 to signal_mapped_size / 8 (usually 256). allocate_event_notification_slot has an option to specify an event id to allocate at, used by CRIU. We weren't checking the bounds on that value. Check them. v2: Lower bounds check is unecessary because of idr_alloc already rejecting negative numbers. Upper bounds check should be KFD_SIGNAL_EVENT_LIMIT since the signal mode mappings might not yet exist Signed-off-by: David Francis <[email protected]> --- drivers/gpu/drm/amd/amdkfd/kfd_events.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c index e9be798c0a2b..850d6befeb6d 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c @@ -107,6 +107,9 @@ static int allocate_event_notification_slot(struct kfd_process *p, } if (restore_id) { + if (*restore_id >= KFD_SIGNAL_EVENT_LIMIT) + return -EINVAL; + id = idr_alloc(&p->event_idr, ev, *restore_id, *restore_id + 1, GFP_KERNEL); } else { -- 2.34.1
