From: David Carlier <devnexen@gmail.com>
To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>,
Dave Airlie <airlied@redhat.com>,
Keith Packard <keithp@keithp.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, syzkaller-bugs@googlegroups.com,
syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com,
David Carlier <devnexen@gmail.com>
Subject: [PATCH] drm/lease: cap object_count to avoid order > MAX_PAGE_ORDER warning
Date: Tue, 26 May 2026 06:53:59 +0100 [thread overview]
Message-ID: <20260526055359.17392-1-devnexen@gmail.com> (raw)
cl->object_count comes from userspace unbounded and reaches
kzalloc_objs() in fill_object_idr(); a large value trips
WARN_ON_ONCE_GFP in __alloc_frozen_pages_noprof(), letting a DRM
master produce a kernel splat.
Bound object_count at the ioctl entry so the page allocator is
never asked for an absurd order.
Reported-by: syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d32c8bd82427f9c77cc
Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
drivers/gpu/drm/drm_lease.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 5d2cf724cbd7..bdec759187d9 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -466,6 +466,13 @@ static int fill_object_idr(struct drm_device *dev,
return ret;
}
+/*
+ * Upper bound on the number of objects a single lease can reference.
+ * Real workloads use a handful; this is set well above any plausible
+ * value to avoid kmalloc requests that would exceed MAX_PAGE_ORDER.
+ */
+#define DRM_MAX_LEASE_OBJECTS 4096
+
/*
* The master associated with the specified file will have a lease
* created containing the objects specified in the ioctl structure.
@@ -505,6 +512,12 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
}
object_count = cl->object_count;
+ if (unlikely(object_count > DRM_MAX_LEASE_OBJECTS)) {
+ drm_dbg_lease(dev, "object_count %zu exceeds max %u\n",
+ object_count, DRM_MAX_LEASE_OBJECTS);
+ ret = -EINVAL;
+ goto out_lessor;
+ }
/* Handle leased objects, if any */
idr_init(&leases);
--
2.53.0
reply other threads:[~2026-05-26 5:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526055359.17392-1-devnexen@gmail.com \
--to=devnexen@gmail.com \
--cc=airlied@gmail.com \
--cc=airlied@redhat.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=keithp@keithp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=simona@ffwll.ch \
--cc=syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.