From: sashiko-bot@kernel.org
To: "Rob Clark" <robin.clark@oss.qualcomm.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v3 2/4] drm/msm: Validate lazy VM is created in GEM_SUBMIT
Date: Thu, 25 Jun 2026 22:50:09 +0000 [thread overview]
Message-ID: <20260625225010.7EC691F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625222744.22254-3-robin.clark@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Ineffective integer overflow protection during allocation size calculation in `submit_create` leads to potential heap buffer overflows.
--
commit 0bc0c946b740e56645786e074bd1e98b7bdd28a0
Author: Rob Clark <robin.clark@oss.qualcomm.com>
Subject: drm/msm: Validate lazy VM is created in GEM_SUBMIT
This commit fixes a potential NULL pointer dereference in the GEM_SUBMIT
ioctl. It ensures that the lazy VM is validated and created before any
buffer objects are mapped.
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 26ea8a28be474..0dc983d155cd2 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -30,7 +30,7 @@
> */
>
> static struct msm_gem_submit *submit_create(struct drm_device *dev,
> - struct msm_gpu *gpu,
> + struct msm_gpu *gpu, struct drm_gpuvm *vm,
> struct msm_gpu_submitqueue *queue, uint32_t nr_bos,
> uint32_t nr_cmds, u64 drm_client_id)
> {
[Severity: High]
This is a pre-existing issue, but does the overflow check in this function
work as intended?
In submit_create(), sz is calculated using struct_size() and assigned to a
uint64_t variable:
sz = struct_size(submit, bos, nr_bos) +
((u64)nr_cmds * sizeof(submit->cmd[0]));
if (sz > SIZE_MAX)
return ERR_PTR(-ENOMEM);
Since sz and SIZE_MAX share the same maximum width on 64-bit architectures,
can sz ever evaluate to strictly greater than SIZE_MAX?
If the struct_size() calculation saturates to SIZE_MAX upon overflow, the
subsequent addition of the command array size could wrap sz around to a small
positive value.
This would cause the check to evaluate to false and bypass the protection,
allocating a memory block that is too small for the requested elements and
allowing a potential heap buffer overflow if userspace provides extremely
large values for the number of buffer objects or commands.
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625222744.22254-1-robin.clark@oss.qualcomm.com?part=2
next prev parent reply other threads:[~2026-06-25 22:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 22:27 [PATCH v3 0/4] drm/msm: A couple lazy-vm fixes Rob Clark
2026-06-25 22:27 ` [PATCH v3 1/4] drm/msm: Fix barriers accessing ctx vm Rob Clark
2026-06-25 22:27 ` [PATCH v3 2/4] drm/msm: Validate lazy VM is created in GEM_SUBMIT Rob Clark
2026-06-25 22:50 ` sashiko-bot [this message]
2026-06-25 22:27 ` [PATCH v3 3/4] drm/msm: Validate lazy VM in GEM_NEW Rob Clark
2026-06-25 22:38 ` sashiko-bot
2026-06-25 22:27 ` [PATCH v3 4/4] drm/msm: Fix per-process-pgtables check Rob Clark
2026-06-25 22:40 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625225010.7EC691F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=robin.clark@oss.qualcomm.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.