Applied. Thanks!
On Tue, Mar 24, 2026 at 5:49 AM Junrui Luo <[email protected]> wrote: > > amdgpu_userq_get_doorbell_index() passes the user-provided > doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds > checking. An arbitrarily large doorbell_offset can cause the > calculated doorbell index to fall outside the allocated doorbell BO, > potentially corrupting kernel doorbell space. > > Validate that doorbell_offset falls within the doorbell BO before > computing the BAR index, using u64 arithmetic to prevent overflow. > > Fixes: f09c1e6077ab ("drm/amdgpu: generate doorbell index for userqueue") > Reported-by: Yuhao Jiang <[email protected]> > Cc: [email protected] > Signed-off-by: Junrui Luo <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c > index 7c450350847d..0a1b93259887 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c > @@ -600,6 +600,13 @@ amdgpu_userq_get_doorbell_index(struct amdgpu_userq_mgr > *uq_mgr, > goto unpin_bo; > } > > + /* Validate doorbell_offset is within the doorbell BO */ > + if ((u64)db_info->doorbell_offset * db_size + db_size > > + amdgpu_bo_size(db_obj->obj)) { > + r = -EINVAL; > + goto unpin_bo; > + } > + > index = amdgpu_doorbell_index_on_bar(uq_mgr->adev, db_obj->obj, > db_info->doorbell_offset, > db_size); > drm_dbg_driver(adev_to_drm(uq_mgr->adev), > > --- > base-commit: c369299895a591d96745d6492d4888259b004a9e > change-id: 20260324-fixes-9ee6cab7bc47 > > Best regards, > -- > Junrui Luo <[email protected]> >
