[PATCH] drm/lease: cap object_count to avoid order > MAX_PAGE_ORDER warning

[PATCH] drm/lease: cap object_count to avoid order > MAX_PAGE_ORDER warning

[David Carlier]

cl->object_count comes from userspace unbounded and reaches
kzalloc_objs() in fill_object_idr(); a large value trips
WARN_ON_ONCE_GFP in __alloc_frozen_pages_noprof(), letting a DRM
master produce a kernel splat.

Bound object_count at the ioctl entry so the page allocator is
never asked for an absurd order.

Reported-by: syzbot+5d32c8bd82427f9c77cc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d32c8bd82427f9c77cc
Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
 drivers/gpu/drm/drm_lease.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 5d2cf724cbd7..bdec759187d9 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -466,6 +466,13 @@ static int fill_object_idr(struct drm_device *dev,
 	return ret;
 }
 
+/*
+ * Upper bound on the number of objects a single lease can reference.
+ * Real workloads use a handful; this is set well above any plausible
+ * value to avoid kmalloc requests that would exceed MAX_PAGE_ORDER.
+ */
+#define DRM_MAX_LEASE_OBJECTS	4096
+
 /*
  * The master associated with the specified file will have a lease
  * created containing the objects specified in the ioctl structure.
@@ -505,6 +512,12 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
 	}
 
 	object_count = cl->object_count;
+	if (unlikely(object_count > DRM_MAX_LEASE_OBJECTS)) {
+		drm_dbg_lease(dev, "object_count %zu exceeds max %u\n",
+			      object_count, DRM_MAX_LEASE_OBJECTS);
+		ret = -EINVAL;
+		goto out_lessor;
+	}
 
 	/* Handle leased objects, if any */
 	idr_init(&leases);
-- 
2.53.0