1. Patchew
  2. linux
  3. View series

[PATCH v2] drm: Account property blob allocations to memcg

Xiao Kan posted 1 patch 1 month ago
There is a newer version of this series
drivers/gpu/drm/drm_property.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH v2] drm: Account property blob allocations to memcg
Posted by Xiao Kan 1 month ago 
DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized
property blobs backed by kernel memory.

Currently, the blob data allocation is not accounted to the allocating
process's memory cgroup, allowing unprivileged users to trigger unbounded
kernel memory consumption and potentially cause system-wide OOM.

Mark the property blob data allocation with GFP_ACCOUNT so that the memory
is properly charged to the caller's memcg. This ensures existing cgroup
memory limits apply and prevents uncontrolled kernel memory growth without
introducing additional policy or per-file limits.

Changes since v1:
  - Drop the per-drm_file blob count limit.
  - Account blob data allocations to memcg via GFP_KERNEL_ACCOUNT instead.

Signed-off-by: Xiao Kan <814091656@qq.com>
Signed-off-by: Xiao Kan <xiao.kan@samsung.com>
---
 drivers/gpu/drm/drm_property.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 596272149..a34758712 100755
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -562,7 +562,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
 	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
 		return ERR_PTR(-EINVAL);
 
-	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
+	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL_ACCOUNT);
 	if (!blob)
 		return ERR_PTR(-ENOMEM);
 
-- 
2.51.0
Re: [PATCH v2] drm: Account property blob allocations to memcg
Posted by Maxime Ripard 3 weeks, 3 days ago 
Hi,

On Mon, Jan 05, 2026 at 11:14:13AM -0500, Xiao Kan wrote:
> DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized
> property blobs backed by kernel memory.
> 
> Currently, the blob data allocation is not accounted to the allocating
> process's memory cgroup, allowing unprivileged users to trigger unbounded
> kernel memory consumption and potentially cause system-wide OOM.
> 
> Mark the property blob data allocation with GFP_ACCOUNT so that the memory
> is properly charged to the caller's memcg. This ensures existing cgroup
> memory limits apply and prevents uncontrolled kernel memory growth without
> introducing additional policy or per-file limits.
> 
> Changes since v1:
>   - Drop the per-drm_file blob count limit.
>   - Account blob data allocations to memcg via GFP_KERNEL_ACCOUNT instead.
> 
> Signed-off-by: Xiao Kan <814091656@qq.com>
> Signed-off-by: Xiao Kan <xiao.kan@samsung.com>

It looks like you sent two different patches labelled v2? Sending a new
version in itself is not a problem (and even encourage), but you should
always bump the version number.

Maxime
[PATCH v3] drm: Account property blob allocations to memcg
Posted by Xiao Kan 3 weeks, 2 days ago 
DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized
property blobs backed by kernel memory.

Currently, the blob data allocation is not accounted to the allocating
process's memory cgroup, allowing unprivileged users to trigger unbounded
kernel memory consumption and potentially cause system-wide OOM.

Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory
is properly charged to the caller's memcg. This ensures existing cgroup
memory limits apply and prevents uncontrolled kernel memory growth without
introducing additional policy or per-file limits.

Signed-off-by: Xiao Kan <814091656@qq.com>
Signed-off-by: Xiao Kan <xiao.kan@samsung.com>
---
 drivers/gpu/drm/drm_property.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 596272149..3c88b5fbd 100755
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -562,7 +562,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
 	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
 		return ERR_PTR(-EINVAL);
 
-	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
+	blob = kvzalloc(sizeof(struct drm_property_blob) + length, GFP_KERNEL_ACCOUNT);
 	if (!blob)
 		return ERR_PTR(-ENOMEM);
 
-- 
2.51.0
Re: [PATCH v3] drm: Account property blob allocations to memcg
Posted by Maxime Ripard 3 weeks ago 
On Wed, 14 Jan 2026 08:22:26 -0500, Xiao Kan wrote:
> DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized
> property blobs backed by kernel memory.
> 
> Currently, the blob data allocation is not accounted to the allocating
> process's memory cgroup, allowing unprivileged users to trigger unbounded
> kernel memory consumption and potentially cause system-wide OOM.
> 
> [...]

Applied to misc/kernel.git (drm-misc-next).

Thanks!
Maxime

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.