Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Ineffective integer overflow protection during allocation size calculation in `submit_create` leads to potential heap buffer overflows. -- commit 0bc0c946b740e56645786e074bd1e98b7bdd28a0 Author: Rob Clark <[email protected]> Subject: drm/msm: Validate lazy VM is created in GEM_SUBMIT This commit fixes a potential NULL pointer dereference in the GEM_SUBMIT ioctl. It ensures that the lazy VM is validated and created before any buffer objects are mapped. > diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c > b/drivers/gpu/drm/msm/msm_gem_submit.c > index 26ea8a28be474..0dc983d155cd2 100644 > --- a/drivers/gpu/drm/msm/msm_gem_submit.c > +++ b/drivers/gpu/drm/msm/msm_gem_submit.c > @@ -30,7 +30,7 @@ > */ > > static struct msm_gem_submit *submit_create(struct drm_device *dev, > - struct msm_gpu *gpu, > + struct msm_gpu *gpu, struct drm_gpuvm *vm, > struct msm_gpu_submitqueue *queue, uint32_t nr_bos, > uint32_t nr_cmds, u64 drm_client_id) > { [Severity: High] This is a pre-existing issue, but does the overflow check in this function work as intended? In submit_create(), sz is calculated using struct_size() and assigned to a uint64_t variable: sz = struct_size(submit, bos, nr_bos) + ((u64)nr_cmds * sizeof(submit->cmd[0])); if (sz > SIZE_MAX) return ERR_PTR(-ENOMEM); Since sz and SIZE_MAX share the same maximum width on 64-bit architectures, can sz ever evaluate to strictly greater than SIZE_MAX? If the struct_size() calculation saturates to SIZE_MAX upon overflow, the subsequent addition of the command array size could wrap sz around to a small positive value. This would cause the check to evaluate to false and bypass the protection, allocating a memory block that is too small for the requested elements and allowing a potential heap buffer overflow if userspace provides extremely large values for the number of buffer objects or commands. [ ... ] -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=2
