Re: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in list

Mon, 28 Apr 2025 07:53:56 -0700 

On 4/24/25 15:40, Alex Deucher wrote:
> On Wed, Apr 23, 2025 at 10:29 AM Christian König
> <christian.koe...@amd.com> wrote:
>>
>> On 4/22/25 18:26, Deucher, Alexander wrote:
>>> [Public]
>>>
>>>> -----Original Message-----
>>>> From: Alex Deucher <alexdeuc...@gmail.com>
>>>> Sent: Tuesday, April 22, 2025 9:46 AM
>>>> To: Koenig, Christian <christian.koe...@amd.com>
>>>> Cc: Denis Arefev <are...@swemel.ru>; Deucher, Alexander
>>>> <alexander.deuc...@amd.com>; David Airlie <airl...@gmail.com>; Simona 
>>>> Vetter
>>>> <sim...@ffwll.ch>; Andrey Grodzovsky <andrey.grodzov...@amd.com>;
>>>> Chunming Zhou <david1.z...@amd.com>; amd-...@lists.freedesktop.org; dri-
>>>> de...@lists.freedesktop.org; linux-ker...@vger.kernel.org; lvc-
>>>> proj...@linuxtesting.org; sta...@vger.kernel.org
>>>> Subject: Re: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in 
>>>> list
>>>>
>>>> Applied.  Thanks!
>>>
>>> This change beaks the following IGT tests:
>>>
>>> igt@amdgpu/amd_vcn@vcn-decoder-create-decode-destroy@vcn-decoder-create
>>> igt@amdgpu/amd_vcn@vcn-decoder-create-decode-destroy@vcn-decoder-decode
>>> igt@amdgpu/amd_vcn@vcn-decoder-create-decode-destroy@vcn-decoder-destroy
>>> igt@amdgpu/amd_jpeg_dec@amdgpu_cs_jpeg_decode
>>> igt@amdgpu/amd_cs_nop@cs-nops-with-nop-compute0@cs-nop-with-nop-compute0
>>> igt@amdgpu/amd_cs_nop@cs-nops-with-sync-compute0@cs-nop-with-sync-compute0
>>> igt@amdgpu/amd_cs_nop@cs-nops-with-fork-compute0@cs-nop-with-fork-compute0
>>> igt@amdgpu/amd_cs_nop@cs-nops-with-sync-fork-compute0@cs-nop-with-sync-fork-compute0
>>> igt@amdgpu/amd_basic@userptr-with-ip-dma@userptr
>>> igt@amdgpu/amd_basic@cs-compute-with-ip-compute@cs-compute
>>> igt@amdgpu/amd_basic@cs-sdma-with-ip-dma@cs-sdma
>>> igt@amdgpu/amd_basic@eviction-test-with-ip-dma@eviction_test
>>> igt@amdgpu/amd_cp_dma_misc@gtt_to_vram-amdgpu_hw_ip_compute0
>>> igt@amdgpu/amd_cp_dma_misc@vram_to_gtt-amdgpu_hw_ip_compute0
>>> igt@amdgpu/amd_cp_dma_misc@vram_to_vram-amdgpu_hw_ip_compute0
>>
>>
>> Could it be that we used BO list with zero entries for those?
> 
> Yes.  Dropping the 0 check fixed them.  E.g.,
> 
> +       if (in->bo_number > USHRT_MAX)
> +               return -EINVAL;


Feel free to keep my rb on that version as well.

Christian.

> 
> Alex
> 
>>
>> Christian.
>>
>>>
>>> Alex
>>>
>>>>
>>>> On Tue, Apr 22, 2025 at 5:13 AM Koenig, Christian 
>>>> <christian.koe...@amd.com>
>>>> wrote:
>>>>>
>>>>> [AMD Official Use Only - AMD Internal Distribution Only]
>>>>>
>>>>> Reviewed-by: Christian König <christian.koe...@amd.com>
>>>>>
>>>>> ________________________________________
>>>>> Von: Denis Arefev <are...@swemel.ru>
>>>>> Gesendet: Freitag, 18. April 2025 10:31
>>>>> An: Deucher, Alexander
>>>>> Cc: Koenig, Christian; David Airlie; Simona Vetter; Andrey Grodzovsky;
>>>>> Chunming Zhou; amd-...@lists.freedesktop.org;
>>>>> dri-devel@lists.freedesktop.org; linux-ker...@vger.kernel.org;
>>>>> lvc-proj...@linuxtesting.org; sta...@vger.kernel.org
>>>>> Betreff: [PATCH v2] drm/amdgpu: check a user-provided number of BOs in
>>>>> list
>>>>>
>>>>> The user can set any value to the variable ‘bo_number’, via the ioctl
>>>>> command DRM_IOCTL_AMDGPU_BO_LIST. This will affect the arithmetic
>>>>> expression ‘in->bo_number * in->bo_info_size’, which is prone to
>>>>> overflow. Add a valid value check.
>>>>>
>>>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>>>>
>>>>> Fixes: 964d0fbf6301 ("drm/amdgpu: Allow to create BO lists in CS ioctl
>>>>> v3")
>>>>> Cc: sta...@vger.kernel.org
>>>>> Signed-off-by: Denis Arefev <are...@swemel.ru>
>>>>> ---
>>>>> V1 -> V2:
>>>>> Set a reasonable limit 'USHRT_MAX' for 'bo_number' it as Christian
>>>>> König <christian.koe...@amd.com> suggested
>>>>>
>>>>>  drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 3 +++
>>>>>  1 file changed, 3 insertions(+)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> index 702f6610d024..85f7ee1e085d 100644
>>>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
>>>>> @@ -189,6 +189,9 @@ int amdgpu_bo_create_list_entry_array(struct
>>>> drm_amdgpu_bo_list_in *in,
>>>>>         struct drm_amdgpu_bo_list_entry *info;
>>>>>         int r;
>>>>>
>>>>> +       if (!in->bo_number || in->bo_number > USHRT_MAX)
>>>>> +               return -EINVAL;
>>>>> +
>>>>>         info = kvmalloc_array(in->bo_number, info_size, GFP_KERNEL);
>>>>>         if (!info)
>>>>>                 return -ENOMEM;
>>>>> --
>>>>> 2.43.0
>>>>>
>>

Reply via email to