On 3/12/26 11:13, Jesse.Zhang wrote: > Userspace can pass an arbitrary number of BO list entries via the > bo_number field. Although the previous multiplication overflow check > prevents out-of-bounds allocation, a large number of entries could still > cause excessive memory allocation (up to potentially gigabytes) and > unnecessarily long list processing times. > > Introduce a hard limit of 128k entries per BO list, which is more than > sufficient for any realistic use case (e.g., a single list containing all > buffers in a large scene). This prevents memory exhaustion attacks and > ensures predictable performance. > > Return -EINVAL if the requested entry count exceeds the limit > > Suggested-by: Christian König <[email protected]> > Signed-off-by: Jesse Zhang <[email protected]>
Reviewed-by: Christian König <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c > index 87ec46c56a6e..3270ea50bdc7 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c > @@ -36,6 +36,7 @@ > > #define AMDGPU_BO_LIST_MAX_PRIORITY 32u > #define AMDGPU_BO_LIST_NUM_BUCKETS (AMDGPU_BO_LIST_MAX_PRIORITY + 1) > +#define AMDGPU_BO_LIST_MAX_ENTRIES (128 * 1024) > > static void amdgpu_bo_list_free_rcu(struct rcu_head *rcu) > { > @@ -188,6 +189,9 @@ int amdgpu_bo_create_list_entry_array(struct > drm_amdgpu_bo_list_in *in, > const uint32_t bo_number = in->bo_number; > struct drm_amdgpu_bo_list_entry *info; > > + if (bo_number > AMDGPU_BO_LIST_MAX_ENTRIES) > + return -EINVAL; > + > /* copy the handle array from userspace to a kernel buffer */ > if (likely(info_size == bo_info_size)) { > info = vmemdup_array_user(uptr, bo_number, info_size);
