From nobody Sat Feb 7 10:08:08 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DB882620FC for ; Sat, 27 Dec 2025 16:08:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766851726; cv=none; b=N3l1EHzcYFKhA0i9Q+WGipqLhYW2icov3tNVvsiY3Cwf3HBYy3/d+faUbSyGy0Ayo4matrQoH0WawaZ2tVx1zOMfhN7npoMCwHNg30jUv7uENqbF3m/kcRSjGwAvfmWpT778ws/oOjvcp5zuhWSE8ae7MHfq6Vei7ctAVEWWb7I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766851726; c=relaxed/simple; bh=ME8eL2QSh65a44igypGWqzl0x9ivCWTSXfU8Z6Mw2/o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dG1maZFmDTaO6UE8WKZ+tIW4FG9JQaquQ/FKOl861SxrMXI4cz9Fmf6JYydDydAveJ4eIrZ95S+TI9sJUj0Cmjt0iYaVolGIybUbsmG8TtCqxc1TlnPvzVoH/T1g0ubDXbFWEKDGmfx4i2X8tbJm5xDBr+xU5D3+U/BVxJqczdA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=g0S9aC2n; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="g0S9aC2n" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-34c9edf63a7so8626244a91.1 for ; Sat, 27 Dec 2025 08:08:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766851725; x=1767456525; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gJqmdOIxEw8eLWLXbkfWEh7lb6XZW8BGJO73kS58WvE=; b=g0S9aC2nptIyN6VryMk0HDoaHMhHDCj6+DKXDJqpunfp/axpQFGIb17cbGyBnZZb+b rTQ/gGpeRQNzTgPFTJ16axDEW//lq4So4qeM9KW78BuFx7R842JAlZNrZD5g89oOHZLF 2hG4U41uTu/yS+mVuZRKcO2o5b4OoP0JXUfixKw6xf7wM8/qWzA03QIWMpe33w7YvJOR Cqw/iokPQZwmtDNagFlxlCbtBou4zZ2aIXPYrQkj/bGWyY1HxoRRq2QZ/M7iEQbHT9cr UzjnibEmgt75SnGXk30zyyevwrkKJjm1E6RFfg6HwZunqt8tF3XnPknHxZkVcNEvOCTT X0WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766851725; x=1767456525; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gJqmdOIxEw8eLWLXbkfWEh7lb6XZW8BGJO73kS58WvE=; b=luZN5q885gFKwhdikmtOeuC+n4R8RWJ0wLVsYAMZlbASqVZDLuIUiJE/HmZWpQfk6j TCEVtGVXJGHGtW9ilhN9zNp0aFciaFbtgQaANaEVIiggfus47eCO87LprJU/ClkbjXjR C/bKTvDE9bDia6vqqxZibeDfuaiCtCZgvM+ykabw+V1W1FSm5sl+86HnhVnFuGNPUFVj KaMEnd7QDlRQ9KtVSPUHfoGoVqlDCNO5h77KGnsgHoE2cofloIKqoKaub6wJZU4ARpjM 2FBYVp6er81KMI9eCACfKjyMGGfpUudDhPls3XwLZamnxnVAAvFx73mUO7mJP1dVhotW zDkg== X-Forwarded-Encrypted: i=1; AJvYcCUwAJkcGTypFXGxon08wzRKLo7N6ujjxFryV/jwaFswFGSNKrGwsvtQxv1lYa8rm8oGtiPr6KUDmpIcZAA=@vger.kernel.org X-Gm-Message-State: AOJu0YzzzbR+ND+Iwo8LxB2V8ea8VUxI0BFojXaLLksG9BqmCLLjudFe EiRkyjaBcKaYaq6t0IvxYIP+q8W4E5BSK38W/M0e2rfDNILTup/wQevn X-Gm-Gg: AY/fxX4BlN6Z/PPv0eKr4f2c+T+TwSZa5WSa4S8Io2GNwAGB8dZxnB5PVtC6bJRR5L4 q6OkwLdVBANuBdvitEzqCXqz76mPvo5hiKUjw6Yn37SsIXDwxLJ2muEoDDuObYE+NGqZS/VO5JW lFSebf7G9JXYUA1u7s9926M8KuCZ+m9ltjj6JulDb/Pqg/nSTvEX9WT4HkhsZnRRBX9IxgcEu2/ 1jkdx01I5l6TjQ8RxSSnMlP6VeiQpfE558/4Mhv1CGp1H+tQM8cNN/ZCNjSd0XK2mVnWou3Jw6t DtzbyuWpX1LQTCjQtR7Wt9DDs5w4nFESyWh3yO5FGTNBts4trbdXPFmOamiHSJU//XZrc5QMaa6 FQ1bMNGYJ9FjLNEcvZZYQCHu5613ITyp5Cl0mP3j8BYvd1TatdXWgoKVrztHpEBryWEI5V7hHVj bqJHRKMqs2IZDI X-Google-Smtp-Source: AGHT+IFSq0kvohcV1rSU3YFNWEHGimkeUw3tU4cRh3lkrEojvKfCjUlUvSaSo4Jkg038wpSaJqVBOg== X-Received: by 2002:a17:90b:52:b0:34c:94f0:fc09 with SMTP id 98e67ed59e1d1-34e92139d60mr21827709a91.10.1766851724760; Sat, 27 Dec 2025 08:08:44 -0800 (PST) Received: from archlinux ([36.255.84.56]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34e769d0106sm10822458a91.0.2025.12.27.08.08.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 27 Dec 2025 08:08:44 -0800 (PST) From: Madhur Kumar To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Madhur Kumar , syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Subject: [PATCH] drm/syncobj: Validate count_handles to prevent large allocations in array_find() Date: Sat, 27 Dec 2025 21:38:30 +0530 Message-ID: <20251227160830.34291-1-madhurkumar004@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The DRM_IOCTL_SYNCOBJ_WAIT ioctl reads `count_handles` from userspace and uses it directly when allocating memory in array_find(). and kmalloc_array() allows userspace to request very large allocations, which syzkaller was able to trigger. Such unbounded values can lead to excessive memory requests, allocation failures, warnings, or resource exhaustion paths. Add explicit bounds validation to prevent excessively large allocations coming from userspace-provided values. Reported-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D95416f957d84e858b377 Fixes: 3e6fb72d6cef6 ("drm/syncobj: Add a syncobj_array_find helper") Tested-by: syzbot+95416f957d84e858b377@syzkaller.appspotmail.com Signed-off-by: Madhur Kumar --- drivers/gpu/drm/drm_syncobj.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index e1b0fa4000cd..f322b38ec251 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -1293,6 +1293,13 @@ static int drm_syncobj_array_find(struct drm_file *f= ile_private, uint32_t i, *handles; struct drm_syncobj **syncobjs; int ret; + size_t size; + + if (check_mul_overflow(count_handles, sizeof(*handles), &size)) + return -EOVERFLOW; + + if (size > KMALLOC_MAX_SIZE) + return -ERANGE; =20 handles =3D kmalloc_array(count_handles, sizeof(*handles), GFP_KERNEL); if (handles =3D=3D NULL) --=20 2.52.0