From nobody Tue Jun 16 01:26:11 2026 Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com [209.85.219.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4B1714B977 for ; Wed, 15 Apr 2026 05:00:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776229227; cv=none; b=pdRp6dBdoTnvjcxv0VwjwZfiGPD+vbxuZLVm0av3F3CrF9+UQD5EuMLYBVztFaGHTC58wrfLmoxO4S8IlisD8YIjbwaghAffK0CZaq3CuUjKzvo052ADsUHVjenSxmGFoNA8iCbqB8ch2HKO2+ZOASTj+hpqethx2qGO0dVIsUc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776229227; c=relaxed/simple; bh=Fzc9eqvLzNuwDX6zkwsl6r1NdmrlNbLoWZyp60IKOpY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=byjtrlJ3npObRLHj6O5GhG08LnzIgfQvmSHl1JZ5Sc3iuDqMHif+jk9K5HncCy+MnUrMvZcjWhpYnnG5DeDxRw8SH/7jd9NLuaM0EtZVhhFc4GTI5oN68CQrZ6+xwG6m7zxXxYfr2It7NzCtH2fv9pWqBKruBw/LwJOznkchL0g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Mkik+nEJ; arc=none smtp.client-ip=209.85.219.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mkik+nEJ" Received: by mail-qv1-f54.google.com with SMTP id 6a1803df08f44-8a48deebe95so51619426d6.0 for ; Tue, 14 Apr 2026 22:00:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776229225; x=1776834025; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=BD0Jh7NHgh3Rj0E+5aYakpmd9tAV1Auw6G8xYy/O08k=; b=Mkik+nEJ2DeXlyEy65i+ZTw64CdwgP2EFUORrwofHzStmuX0wmAHqZ1BIO5NRwLHp0 +hqUfCunHozkzW8s1wBGo3NAD3JCaH87nIX1zc6F2UD8nrri4YjUkqeHArY4JjjyztMy umcs6WK+pNhq0Uo6ezAtJA+H/q5CIWWxUpCy2StsFfOJujJx22vfxUJQjaDLhB8U3+3O 5hZDDytUK2RAC3Yb/hw3kzrHVKsIz9ZqLSqtvdAjKi7vUth0AQn80dIfZPYD8hBEgfiR FCgMv3mOECMchoIUNl8RLADeCgMd7VnP9JF7rdi+rVIUFd4gzrHlpzavWzfKWKC1M9Nr pAoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776229225; x=1776834025; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BD0Jh7NHgh3Rj0E+5aYakpmd9tAV1Auw6G8xYy/O08k=; b=ZRn0UG8ucAgSUgR7laRDJawJ5OwCZ7ZpMAf+JH/tvgbRwNUokKnbPfS105ascPz8XK CUpBwDf6d3ekmn7YWpCcqkxXHrVYEEXyXmL7hdrIbeecjvoL+8aO9bPN1EoaTpgW6Vzm Ss+na9MYOQmA5QH4CwnSCodwv/P6E6hOGbkznS29QKg3iknC4lueDpfbe+fgLYFrbt4F 1XranUmZ/82Cnag+U0Fi7lz9gF7IUX8d7bU23hREAk64EC5oW7Lzc4ETEvtdFpRip+eo dCXPP0FeKeLyJZvulTnSbqD0MSRKJhvpF+OJo1wTEECV/dglogGkpVte65UINVjQG5w3 ig3w== X-Forwarded-Encrypted: i=1; AFNElJ97P9xHcv+WMoUUFf8k7bATiREdUYHZqKfQ0lv0Qj1PBT8ibPSO6YyvXjRQYXH2lpS7jdvgWXNBC+uu5Dc=@vger.kernel.org X-Gm-Message-State: AOJu0YyXg4MViW4OZtFc2aKQ7sC4N/EQZpw1x6+DStlsmflGkXinNdly 6WQyzJ4OHa8jRswju3yf+RgsdOVZ28+7Qto9Fa4RSjplLnb10KoOjfpk X-Gm-Gg: AeBDievFHhzTa1LCydrhDpGqUyeuoTJU2DnsA+nV1tXyeYQmxU1bZ2DbIt2L7YKjjWP 2rx52ND8Ll0hEzW5LnJ2W+xjKe0el5A7VupR7JbSVbbZNNeMaUFq2miP+z7bByUbCa4WcEgEbGt z3qCzz58h1QZMTQQRBkLMQTh4/w7Dj1CJGsoIJG32MrKDENaOY//PG6BK8pC2bgWbN2DT6MW42f Udi/BJXucC844YD1Jpe4jou9LPzvMN2QPD8RpwBh0XpwLbn19060UOlNXgiJpiKL5cFLe/sYO6Y X+bvIKQjMbFgbJUU5jFum7H3L9w2HkyLLEm/WHNXvAcIVYhiiC8+Ohi7BTz86Y5pTX85+8Qpcoj dAxbAmn/qFmQD+mJmstUEGqiJoOhFgZxdAMC/Xf3+tBTmTJ5igyR9/L5N+t0tf1uyNRBSq5ydw7 4HwjVw6uek1Dor4SHNTfQ3uX1shdhgi+IllU46z2+ZeT6UHNrzOSmEzvyamq/Out+KTh8GqItFC vPfE3gYsVO+0QUakSdhs8s/p/vs8vZrxzkfz6CqsdERTlDUqA== X-Received: by 2002:ad4:5f8e:0:b0:8ae:61bb:95e3 with SMTP id 6a1803df08f44-8ae61bb9793mr70305236d6.36.1776229224733; Tue, 14 Apr 2026 22:00:24 -0700 (PDT) Received: from TDC4045031631.e0cglfehwr0e5gttmepj3hi3hf.ux.internal.cloudapp.net ([20.63.37.123]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ae6c93b7e2sm3890086d6.8.2026.04.14.22.00.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Apr 2026 22:00:24 -0700 (PDT) From: Ashutosh Desai To: mwen@igalia.com, mcanal@igalia.com Cc: itoral@igalia.com, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, dri-devel@lists.freedesktop.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, Ashutosh Desai Subject: [PATCH v4] drm/v3d: Reject empty multisync extension to prevent infinite loop Date: Wed, 15 Apr 2026 05:00:00 +0000 Message-Id: <20260415050000.3816128-1-ashutoshdesai993@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next =3D=3D &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector. Fixes: 9032d5f633ed ("drm/v3d: Detach job submissions IOCTLs to a new speci= fic file") Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Desai --- V3 -> V4: fix indentation V2 -> V3: drop depth counter; instead reject empty multisync (in_sync_count =3D=3D 0 && out_sync_count =3D=3D 0) in v3d_get_multisync_submit_deps() V1 -> V2: change cap from 16 to V3D_MAX_EXTENSIONS (7), add #define v3: https://lore.kernel.org/dri-devel/177614548527.3603641.5360701002746181= 082@gmail.com/ v2: https://lore.kernel.org/dri-devel/20260413055230.3349114-1-ashutoshdesa= i993@gmail.com/ v1: https://lore.kernel.org/dri-devel/20260410013907.2404175-1-ashutoshdesa= i993@gmail.com/ drivers/gpu/drm/v3d/v3d_submit.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_sub= mit.c index 18f2bf1fe89f..fc74351efad5 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -393,6 +393,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_pr= iv, if (multisync.pad) return -EINVAL; =20 + if (!multisync.in_sync_count && !multisync.out_sync_count) { + drm_dbg(&v3d->drm, "Empty multisync extension\n"); + return -EINVAL; + } + ret =3D v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_cou= nt, multisync.out_syncs); if (ret) --=20 2.34.1