On Wed, Apr 23, 2025 at 10:29 AM Christian König christian.koenig@amd.com wrote:
On 4/22/25 18:26, Deucher, Alexander wrote:
[Public]
-----Original Message----- From: Alex Deucher alexdeucher@gmail.com Sent: Tuesday, April 22, 2025 9:46 AM To: Koenig, Christian Christian.Koenig@amd.com Cc: Denis Arefev arefev@swemel.ru; Deucher, Alexander Alexander.Deucher@amd.com; David Airlie airlied@gmail.com; Simona Vetter simona@ffwll.ch; Andrey Grodzovsky andrey.grodzovsky@amd.com; Chunming Zhou david1.zhou@amd.com; amd-gfx@lists.freedesktop.org; dri- devel@lists.freedesktop.org; linux-kernel@vger.kernel.org; lvc- project@linuxtesting.org; stable@vger.kernel.org Subject: Re: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in list
Applied. Thanks!
This change beaks the following IGT tests:
igt@amdgpu/amd_vcn@vcn-decoder-create-decode-destroy@vcn-decoder-create igt@amdgpu/amd_vcn@vcn-decoder-create-decode-destroy@vcn-decoder-decode igt@amdgpu/amd_vcn@vcn-decoder-create-decode-destroy@vcn-decoder-destroy igt@amdgpu/amd_jpeg_dec@amdgpu_cs_jpeg_decode igt@amdgpu/amd_cs_nop@cs-nops-with-nop-compute0@cs-nop-with-nop-compute0 igt@amdgpu/amd_cs_nop@cs-nops-with-sync-compute0@cs-nop-with-sync-compute0 igt@amdgpu/amd_cs_nop@cs-nops-with-fork-compute0@cs-nop-with-fork-compute0 igt@amdgpu/amd_cs_nop@cs-nops-with-sync-fork-compute0@cs-nop-with-sync-fork-compute0 igt@amdgpu/amd_basic@userptr-with-ip-dma@userptr igt@amdgpu/amd_basic@cs-compute-with-ip-compute@cs-compute igt@amdgpu/amd_basic@cs-sdma-with-ip-dma@cs-sdma igt@amdgpu/amd_basic@eviction-test-with-ip-dma@eviction_test igt@amdgpu/amd_cp_dma_misc@gtt_to_vram-amdgpu_hw_ip_compute0 igt@amdgpu/amd_cp_dma_misc@vram_to_gtt-amdgpu_hw_ip_compute0 igt@amdgpu/amd_cp_dma_misc@vram_to_vram-amdgpu_hw_ip_compute0
Could it be that we used BO list with zero entries for those?
Yes. Dropping the 0 check fixed them. E.g.,
+ if (in->bo_number > USHRT_MAX) + return -EINVAL;
Alex
Christian.
Alex
On Tue, Apr 22, 2025 at 5:13 AM Koenig, Christian Christian.Koenig@amd.com wrote:
[AMD Official Use Only - AMD Internal Distribution Only]
Reviewed-by: Christian König christian.koenig@amd.com
Von: Denis Arefev arefev@swemel.ru Gesendet: Freitag, 18. April 2025 10:31 An: Deucher, Alexander Cc: Koenig, Christian; David Airlie; Simona Vetter; Andrey Grodzovsky; Chunming Zhou; amd-gfx@lists.freedesktop.org; dri-devel@lists.freedesktop.org; linux-kernel@vger.kernel.org; lvc-project@linuxtesting.org; stable@vger.kernel.org Betreff: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in list
The user can set any value to the variable ‘bo_number’, via the ioctl command DRM_IOCTL_AMDGPU_BO_LIST. This will affect the arithmetic expression ‘in->bo_number * in->bo_info_size’, which is prone to overflow. Add a valid value check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 964d0fbf6301 ("drm/amdgpu: Allow to create BO lists in CS ioctl v3") Cc: stable@vger.kernel.org Signed-off-by: Denis Arefev arefev@swemel.ru
V1 -> V2: Set a reasonable limit 'USHRT_MAX' for 'bo_number' it as Christian König christian.koenig@amd.com suggested
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c index 702f6610d024..85f7ee1e085d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c @@ -189,6 +189,9 @@ int amdgpu_bo_create_list_entry_array(struct
drm_amdgpu_bo_list_in *in,
struct drm_amdgpu_bo_list_entry *info; int r;
if (!in->bo_number || in->bo_number > USHRT_MAX)return -EINVAL;info = kvmalloc_array(in->bo_number, info_size, GFP_KERNEL); if (!info) return -ENOMEM;-- 2.43.0