Hello Tomeu Vizoso,
Commit 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL") from
Jul 21, 2025 (linux-next), leads to the following Smatch static
checker warning:
drivers/accel/rocket/rocket_job.c:621 rocket_ioctl_submit()
warn: potential user controlled sizeof overflow 'i *
args->job_struct_size' '0-4294967294 * 40-u32max(user)'
drivers/accel/rocket/rocket_job.c
593 int rocket_ioctl_submit(struct drm_device *dev, void *data, struct
drm_file *file)
594 {
595 struct drm_rocket_submit *args = data;
596 struct drm_rocket_job *jobs;
597 int ret = 0;
598 unsigned int i = 0;
599
600 if (args->job_count == 0)
601 return 0;
602
603 if (args->job_struct_size < sizeof(struct drm_rocket_job)) {
There is a lower bound on args->job_struct_size but no upper bound
604 drm_dbg(dev, "job_struct_size field in
drm_rocket_submit struct is too small.\n");
605 return -EINVAL;
606 }
607
608 if (args->reserved != 0) {
609 drm_dbg(dev, "Reserved field in drm_rocket_submit
struct should be 0.\n");
610 return -EINVAL;
611 }
612
613 jobs = kvmalloc_array(args->job_count, sizeof(*jobs),
GFP_KERNEL);
614 if (!jobs) {
615 drm_dbg(dev, "Failed to allocate incoming job array\n");
616 return -ENOMEM;
617 }
618
619 for (i = 0; i < args->job_count; i++) {
620 if (copy_from_user(&jobs[i],
--> 621 u64_to_user_ptr(args->jobs) + i *
args->job_struct_size,
This multiply can integer overflow. Although it's fine. Really neither
the lower bound nor the upper bound are needed... Eventually, we're
going to turn it into a runtime error when code does pointer math that
results in an integer overflow.
622 sizeof(*jobs))) {
623 ret = -EFAULT;
624 drm_dbg(dev, "Failed to copy incoming job
array\n");
625 goto exit;
626 }
627 }
628
629
630 for (i = 0; i < args->job_count; i++)
631 rocket_ioctl_submit_job(dev, file, &jobs[i]);
632
633 exit:
634 kvfree(jobs);
635
636 return ret;
637 }
regards,
dan carpenter
