From nobody Thu Dec 18 01:19:34 2025 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A512B3B8D6B for ; Sat, 6 Dec 2025 22:01:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765058462; cv=none; b=qlvcYIJ7X7Q6Vb24Dt4qWbHYJ1kNNBUhuFKEyFkIhmZzM7U/did7365PL+CQoy7kYdBSS+DXFs8KWYotVIUPTm3742+4YdlJeToqv27702HMR28N9D9rUrasCtSqTJqAt/sDpxqnRqcTPASfp6cD3AoObQFFiEgUDmBZfsEzonM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765058462; c=relaxed/simple; bh=ME8eL2QSh65a44igypGWqzl0x9ivCWTSXfU8Z6Mw2/o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FZ25SVpOZppsfGUlaecpEN0S7by1YzSsnx51t8BHqThMGoQqVI7gPQ9u3bvIviV8ySgb9WoKb3LdKVbSBncO0LQwi5/TFKmzaSxNxbL/ocYmFVj5YlsiwYt9PkWJHULjr0+zgOK+3/HpcnBn6ed64TozB3/X1DlzMKVIcwtN9fs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FpqD+ayx; arc=none smtp.client-ip=209.85.214.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FpqD+ayx" Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-29ba9249e9dso46049855ad.3 for ; Sat, 06 Dec 2025 14:01:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765058460; x=1765663260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gJqmdOIxEw8eLWLXbkfWEh7lb6XZW8BGJO73kS58WvE=; b=FpqD+ayxfVpb1GmOtCdF0tNkRQ9+hrcxH2tjKVXUoaBAYOwUlODzkGRX2ALVaR28We q/Vn5HJntJglMXGrC3ERReKDPqFi9tv5DihDaZq2M5GBoMjxyLnlokN7rYXjAGKbAU+5 MNT1bM5cBTIYu2JNrdoJssW14GPqFiRBfUhyDU1JV+Y/XyXKPJ5hq95+Xmo1h7uQ+0PO fp7DDQa5vD0GBbDQFT2tT2qC8M03uL/VzLrJpAJxzYyZVgd83Q2JTUsRox3S8+TtAIjf qDkXHitr8PsWKuagfZu+lAF7Axtz06m/5sc15lsKQyXdOcuPawo1ca+9bLrJxS/r96Ex eM9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765058460; x=1765663260; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gJqmdOIxEw8eLWLXbkfWEh7lb6XZW8BGJO73kS58WvE=; b=oqOlXpLZqUYjYpwRalioBK47mGqYhOhwu4vubWIXueNhqoaRV/jqKoElChuZ4K0kgk r1npImRi+fQtXllkXdP0DcGt0ib/ldBIjLh4NPudRiGLzCwXmIRuutkeC7NqeK6Oi8MT AacS60JhyKTQ/4lVAEIRF4p9e/UDR6HtWuZqBg3XWrPzWBe0TtqBLqNtMypJvHUCBrqH s31Rx7sQ8AYbmKBQj2LSRltybijIrSwqc3gHRvS3y50e1g+3HvSEwGTb9HADsESuhm5w Pb9Z/+zX80Jit5El4vqmJQ0J+7bL74qoa6FYaG36QDQUzpeCI1+cc9kXCYWUBpG1oHPm vOTg== X-Forwarded-Encrypted: i=1; AJvYcCUc0onR7/IjKR/fEjtd4Q35yMBuYRapuKVIb+YExeqNYsj1mK0JaEPrLf2MHkuDTPHW4iam+Qh5A3EepBw=@vger.kernel.org X-Gm-Message-State: AOJu0YwEpl/wp9n7k8OETVXaC93xultB8t0EngHH3IQmma3cObdXjlY2 N3PnubL0EXJFc+HzuTMaLU8WhiznxvrFSeygR8WLLow4LS7zjoiEB8LR X-Gm-Gg: ASbGnctwilYC4vSgmvXJhP9Pw8sr8KosxE6aGvEdw/XalSoGB3RwAi5POuIgdlXYOwr batwHP2xoqO3dWhfjNKS68Ee8pN/4tyVKp7KDH2Kfvto765XKLe8uxlhfhzOuep3VIl/qLTCCMH /pLjFcAcytm2SfMpMPcHdwy88AT9+LYpTUE6jYFeYk6Udm6vi31tqiSA5xCe0LCj08Kz1hlLgU+ A4LPVtrRYYmeaq4F0wqt1BLFikwwUksHOH+95tZMCMYq13gvDhl5QbP2DZ1BBdOiabo7GwF/MgC xJ6Vx7vxHdRzdFRajTvc4PxnyYnG8fWq3d5o5BxZizHSUFmmUsHSjeQZEaA/WC3GO4J//6aza+t LkFrqWmTQumiRpVfprdpD0A1VIhHN1JaLpNSB2dsddGU79NNAuEhye6X9uxEzFVPL8IT9bhQgcu FZeN4cncZXLUK+NyySHg== X-Google-Smtp-Source: AGHT+IHJhC3zQ6XGABOCa/C/csyzvWYH8f/mZnTV0CIhv5r0IYn0ouFACeGSRAm+pqmZn78jscTDpw== X-Received: by 2002:a17:903:1cd:b0:29a:2d0:c1b5 with SMTP id d9443c01a7336-29df5683ed6mr32782795ad.22.1765058460000; Sat, 06 Dec 2025 14:01:00 -0800 (PST) Received: from archlinux ([2409:40f2:100e:9587:f0e5:c788:34e0:f382]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29dae99f179sm84066505ad.64.2025.12.06.14.00.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Dec 2025 14:00:59 -0800 (PST) From: Madhur Kumar To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Madhur Kumar , syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Subject: [PATCH RESEND] drm/syncobj: Validate count_handles to prevent large allocations in array_find() Date: Sun, 7 Dec 2025 03:30:45 +0530 Message-ID: <20251206220045.1403233-1-madhurkumar004@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The DRM_IOCTL_SYNCOBJ_WAIT ioctl reads `count_handles` from userspace and uses it directly when allocating memory in array_find(). and kmalloc_array() allows userspace to request very large allocations, which syzkaller was able to trigger. Such unbounded values can lead to excessive memory requests, allocation failures, warnings, or resource exhaustion paths. Add explicit bounds validation to prevent excessively large allocations coming from userspace-provided values. Reported-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D95416f957d84e858b377 Fixes: 3e6fb72d6cef6 ("drm/syncobj: Add a syncobj_array_find helper") Tested-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Signed-off-by: Madhur Kumar --- drivers/gpu/drm/drm_syncobj.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index e1b0fa4000cd..f322b38ec251 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *f= ile_private, uint32_t i, *handles; struct drm_syncobj **syncobjs; int ret; + size_t size; + + if (check_mul_overflow(count_handles, sizeof(*handles), &size)) + return -EOVERFLOW; + + if (size > KMALLOC_MAX_SIZE) + return -ERANGE; =20 handles =3D kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL); if (handles =3D=3D NULL) --=20 2.52.0