Re: [PATCH] udmabuf: fix a buf size overflow issue during udmabuf creation

Thu, 10 Apr 2025 14:25:15 -0700 


On 3/26/2025 2:41 AM, Christian König wrote:

Am 26.03.25 um 03:59 schrieb Kasireddy, Vivek:

Hi Christian,


Subject: Re: [PATCH] udmabuf: fix a buf size overflow issue during udmabuf
creation

Am 25.03.25 um 07:23 schrieb Kasireddy, Vivek:

Hi Christian,


Am 21.03.25 um 17:41 schrieb Xiaogang.Chen:

From: Xiaogang Chen<xiaogang.c...@amd.com>

by casting size_limit_mb to u64  when calculate pglimit.

Signed-off-by: Xiaogang Chen<xiaogang.c...@amd.com>

Reviewed-by: Christian König<christian.koe...@amd.com>

If nobody objects I'm going to push that to drm-misc-fixes.

No objection but I wish the author would have added more details in the

commit

message particularly the value they have used to trigger the overflow. I

guess

Xiaogang can still comment here and briefly describe the exact use-

case/test-case

they are running where they encountered this issue.

Isn't that obvious? At least it was for me.

As soon as you have a value larger than 4095 the 32bit multiplication
overflows, resulting in incorrectly limiting the buffer size.

Right, that part makes sense. I was mostly curious about why or how they
were using such a large buffer (use-case details).

Well I suggested that we use udmabuf to implement shareable dma-bufs which can 
be allocated from a specific NUMA node and are also accounted in memcg.

But to be honest I have absolutely no idea what's the use case for a buffer 
larger than 4GiB.

Regards,
Christian.


Sorry, just noticed this email response.
Application may allocate buf bigger than 4GB and map to GPU VM where shadder code uses the buffer. 

 Regards

Xiaogang


Thanks,
Vivek


Regards,
Christian.


Thanks,
Vivek


Regards,
Christian.


---
  drivers/dma-buf/udmabuf.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 8ce1f074c2d3..e99e3a65a470 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -398,7 +398,7 @@ static long udmabuf_create(struct miscdevice

*device,

        if (!ubuf)
                return -ENOMEM;

-       pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
+       pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
        for (i = 0; i < head->count; i++) {
                pgoff_t subpgcnt;

Reply via email to