diff options
| author | Sunday Clement <Sunday.Clement@amd.com> | 2026-05-19 10:02:30 -0400 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2026-06-04 16:00:11 -0400 |
| commit | 9c6ffdb41fa5dcf47a262c656e9f443d0d26049c (patch) | |
| tree | b45a0a79263c711cf99301209df6cea5214c1175 | |
| parent | 40396ffdf6120e2380706c59e1a84d7e765a37b6 (diff) | |
| download | lwn-9c6ffdb41fa5dcf47a262c656e9f443d0d26049c.tar.gz lwn-9c6ffdb41fa5dcf47a262c656e9f443d0d26049c.zip | |
drm/amdkfd: Add bounds check for AMDKFD_IOC_WAIT_EVENTS
The kfd_wait_on_events ioctl passes a user-supplied num_events parameter
directly to alloc_event_waiters() which calls kcalloc() without validation.
This allows unprivileged users with /dev/kfd access to trigger large kernel
memory allocations, potentially causing memory exhaustion and denial of
service via the OOM killer.
Add a check to reject num_events values exceeding KFD_SIGNAL_EVENT_LIMIT
(4096), which is the maximum number of events a single process can create.
Signed-off-by: Sunday Clement <Sunday.Clement@amd.com>
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 39eb6da7acee8d0cc12a8959235b590f295d7b4c)
| -rw-r--r-- | drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c index 44150a71ffd5..e65b323aafbf 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c @@ -795,6 +795,8 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events) struct kfd_event_waiter *event_waiters; uint32_t i; + if (num_events > KFD_SIGNAL_EVENT_LIMIT) + return NULL; event_waiters = kzalloc_objs(struct kfd_event_waiter, num_events); if (!event_waiters) return NULL; |