From nobody Mon Feb  9 16:52:17 2026
Received: from out203-205-221-209.mail.qq.com (out203-205-221-209.mail.qq.com
 [203.205.221.209])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE2D519B5A7
	for <linux-kernel@vger.kernel.org>; Sat,  3 Jan 2026 15:08:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=203.205.221.209
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767452912; cv=none;
 b=lRDqTK/gpYhV9rYRbqiFKjgPOISyFmOpUlEfZhEpSeRfNreX3MkSvOZq8Nphr64e5JFriFeuwdiuzhDJfQDMMoD3g83dEbFNoku5pLB9nBoAdr52GPfmoYYxi92viTK2ZYCGIZpesVoC284NZ+ltXxgfCqLzoYaZ5VcBdVn1PPY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767452912; c=relaxed/simple;
	bh=YD9e209ay2yipGzR/1M0MtCUOrtjUiMN5iaugC6eESg=;
	h=Message-ID:From:To:Cc:Subject:Date:MIME-Version;
 b=qR2E5sv3SGreLFuXhz2ZYmwEsiMIbn+cZmOLP6UiiKcTVCqk0Q4dq5IiO1I0HwwErL4kMYv//H75XCcf90tXe7AfQAeiYpT337ITfcJ9xntg1uE5aLLioI3e1la5OEs1PZmKvzJfUenzhzuzsAKv6PnsTePVkkZwGZXQ++hk6vo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=lsMPrbYf;
 arc=none smtp.client-ip=203.205.221.209
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="lsMPrbYf"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1767452901; bh=D1NykMR6pr6A8VDRQDRtjrmNdSIxvA3GlcvAYxylwE0=;
	h=From:To:Cc:Subject:Date;
	b=lsMPrbYfn8FIVJO3/FJByozhyZYXF8nBxtOsta9qjRXBQa4xfKe4807nICRex934K
	 F3jnHJUlHMNK8lJ6S7BuI82At9xPz2aIubFZQpadBacuCnfzEJ6Yi0dc6rHhlF9X8L
	 ksX0AhF0wDkYl/jVSetQw4FCyirHf1Yb3hbNz4cs=
Received: from kali ([111.19.95.200])
	by newxmesmtplogicsvrszc50-0.qq.com (NewEsmtp) with SMTP
	id 1B5352B3; Sat, 03 Jan 2026 23:06:53 +0800
X-QQ-mid: xmsmtpt1767452813t95xmkiwa
Message-ID: <tencent_3B00642977B23D3A82CA7E6EF59EBAF7D405@qq.com>
X-QQ-XMAILINFO: NnYhxYSyuBnLuMyVSl9YXRuq7AmG0R47SjulZrnzlwTcvrrc+FTppkHNUcX/i5
	 doqSSOvV2IZJSdnKqaiMKh0SHdRYy5QJFLw2erg8NRJ9sFQOxkzLZY7nxsdZSWSoCVCNyVFUniVH
	 CSoSfgUyDHelik16seLXYkOWlT4TvWNNQw+Ed7as+bMtOPevUzC7TR0UCz3Snq1vZtD/49fADNFc
	 Lpra7PAASW/uSfGWYgx+748mznLDvBiVLt2Qso8Q16i83EgSfA4mzH9/v4tjuiG+oicuTG4HnrYV
	 Qoe4RL1cQLvow40YH7jMeBZQsmNxzXK4WjALYcuDbL9v0ps6kKqhLH5246KqkxAOEX39tYk3hKqw
	 556WzjUYBG709YQ4q7Ht7/HWnnx9hR8wPsqCliamB3J1S0V+ZzDGdFzU4guXmYfTJ1njtePyLvjK
	 2g4+/LVIUsd8Ru71JKI+5lVjM8hKk47w78JrikDtq8m19NI63qYYTbSUHKXHNFDtQJiTnLVm5rIk
	 n/Mj5TGmbybnOMXqWi60aYY5shAclnuioUe3xmT9nuETfpDqPreyfqjZadB8a1WBRCBFCLY6f52X
	 f15WoGJQr1Lo02kncILY+ZEPpjjYcZy7Ol4piAVUVGt3mez9jucoDrGepumzGXRuQvyO8Ig2lgVl
	 EgmCzn82xcDv8pI+HCapbb3VtrMQLLDihdDVVp2r5sHeF0hcjh3oRZDPwMBfVnOrVFj3nKCtZL9L
	 g1aAVydCHcI/XLOvU89r/xnxA+uPKuursMsNzXH088SJNkGreXi1Hmu2wgtJXz1xu9kzBkXYIcst
	 +nfxKsQ/jETJj6Ya2RwilemssWCXTUeePX25OA0tCOoUK5otZgcN5fIS5br4/gNCLZl4ZAht3AJx
	 QSXlfvtp7jXff464NJe/TZGB30sOict1Vkhd5mOXIVK8rv9nrZrEyibU6Dbdg67LT4pk73apO3p5
	 g2CI2BVgjFt7DfLMC7IUAWvlRijGHcsg9cRhcBnIgIN8ZotdI7sW7KcUuh7Yy3foJnvOFNmeSJf4
	 ZoHRrN0rLHvgm0K+as5bOdPwRXVVQcqT17M3fK0a9XARvm/6KOtTOG72dEk1inQ48+090crZHPyc
	 VqjjvMfgsIDtAeEStATtrQQ2fJXVnmUV5rUx5n
X-QQ-XMRINFO: NI4Ajvh11aEjEMj13RCX7UuhPEoou2bs1g==
From: Xiao Kan <814091656@qq.com>
To: w@1wt.eu
Cc: security@kernel.org,
	maarten.lankhorst@linux.intel.com,
	mripard@kernel.org,
	tzimmermann@suse.de,
	airlied@gmail.com,
	simona@ffwll.ch,
	dri-devl@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	kanxiao666@gmail.com,
	xiao.kan@samsung.com,
	Xiao Kan <814091656@qq.com>
Subject: [PATCH] drm: limit property blob creation per file
Date: Sat,  3 Jan 2026 10:06:41 -0500
X-OQ-MSGID: <20260103150641.298804-1-814091656@qq.com>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to create property blobs
whose lifetime is scoped to a drm_file.

Currently, a single drm_file may create an unbounded number of blobs.
Repeated ioctl calls can trigger unbounded kernel memory allocation and
lead to OOM, resulting in a denial-of-service.

Introduce a per-drm_file limit on the number of user-created property
blobs. The limit is enforced at the point where a blob becomes associated
with a drm_file, matching the existing ownership and lifetime model.
This bounds per-file allocations while the total number of DRM file
descriptors remains constrained by existing kernel limits.

Signed-off-by: Xiao Kan <814091656@qq.com>
Signed-off-by: Xiao Kan <xiao.kan@samsung.com>
---
 drivers/gpu/drm/drm_file.c     | 1 +
 drivers/gpu/drm/drm_property.c | 8 ++++++++
 include/drm/drm_file.h         | 6 ++++++
 3 files changed, 15 insertions(+)

diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index eebd1a05e..873bf6248 100755
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -152,6 +152,7 @@ struct drm_file *drm_file_alloc(struct drm_minor *minor)
 	INIT_LIST_HEAD(&file->fbs);
 	mutex_init(&file->fbs_lock);
 	INIT_LIST_HEAD(&file->blobs);
+	file->blob_count =3D 0;
 	INIT_LIST_HEAD(&file->pending_event_list);
 	INIT_LIST_HEAD(&file->event_list);
 	init_waitqueue_head(&file->event_wait);
diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 596272149..00eac336a 100755
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -618,6 +618,7 @@ void drm_property_destroy_user_blobs(struct drm_device =
*dev,
 	 */
 	list_for_each_entry_safe(blob, bt, &file_priv->blobs, head_file) {
 		list_del_init(&blob->head_file);
+		file_priv->blob_count--;
 		drm_property_blob_put(blob);
 	}
 }
@@ -864,8 +865,14 @@ int drm_mode_createblob_ioctl(struct drm_device *dev,
 	 * as only the same file_priv can remove the blob; at this point, it is
 	 * not associated with any file_priv. */
 	mutex_lock(&dev->mode_config.blob_lock);
+	if (file_priv->blob_count >=3D DRM_FILE_MAX_PROPBLOBS) {
+		mutex_unlock(&dev->mode_config.blob_lock);
+		drm_property_blob_put(blob);
+		return -ENOSPC;
+	}
 	out_resp->blob_id =3D blob->base.id;
 	list_add_tail(&blob->head_file, &file_priv->blobs);
+	file_priv->blob_count++;
 	mutex_unlock(&dev->mode_config.blob_lock);
=20
 	return 0;
@@ -907,6 +914,7 @@ int drm_mode_destroyblob_ioctl(struct drm_device *dev,
 	/* We must drop head_file here, because we may not be the last
 	 * reference on the blob. */
 	list_del_init(&blob->head_file);
+	file_priv->blob_count--;
 	mutex_unlock(&dev->mode_config.blob_lock);
=20
 	/* One reference from lookup, and one from the filp. */
diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h
index 115763799..211c4284f 100755
--- a/include/drm/drm_file.h
+++ b/include/drm/drm_file.h
@@ -38,6 +38,9 @@
=20
 #include <drm/drm_prime.h>
=20
+/* Maximum number of user-created property blobs per drm_file */
+#define DRM_FILE_MAX_PROPBLOBS 256
+
 struct dma_fence;
 struct drm_file;
 struct drm_device;
@@ -349,6 +352,9 @@ struct drm_file {
 	 */
 	struct list_head blobs;
=20
+	/* Number of property blobs owned by this file */
+	unsigned int blob_count;
+
 	/** @event_wait: Waitqueue for new events added to @event_list. */
 	wait_queue_head_t event_wait;
=20
--=20
2.51.0