diff options
| author | Junrui Luo <moonafterrain@outlook.com> | 2026-03-24 17:39:02 +0800 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2026-03-30 16:08:17 -0400 |
| commit | a018d1819f158991b7308e4f74609c6c029b670c (patch) | |
| tree | f03847302b9d5bfb49a48af65d1310fb4e9828b6 /fs/devfs/git@git.tavy.me:linux.git | |
| parent | a3ffaa5b397f4df9d6ac16b10583e9df8e6fa471 (diff) | |
drm/amdgpu: validate doorbell_offset in user queue creation
amdgpu_userq_get_doorbell_index() passes the user-provided
doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds
checking. An arbitrarily large doorbell_offset can cause the
calculated doorbell index to fall outside the allocated doorbell BO,
potentially corrupting kernel doorbell space.
Validate that doorbell_offset falls within the doorbell BO before
computing the BAR index, using u64 arithmetic to prevent overflow.
Fixes: f09c1e6077ab ("drm/amdgpu: generate doorbell index for userqueue")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)
Cc: stable@vger.kernel.org
Diffstat (limited to 'fs/devfs/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions