From: Jia Yao <jia.yao@intel.com>
To: intel-xe@lists.freedesktop.org
Cc: "Jia Yao" <jia.yao@intel.com>,
"Matthew Auld" <matthew.auld@intel.com>,
stable@vger.kernel.org, "Matthew Brost" <matthew.brost@intel.com>,
"Shuicheng Lin" <shuicheng.lin@intel.com>,
"Himal Prasad Ghimiray" <himal.prasad.ghimiray@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>
Subject: [PATCH v3] drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise
Date: Thu, 5 Feb 2026 16:15:29 +0000 [thread overview]
Message-ID: <20260205161529.1819276-1-jia.yao@intel.com> (raw)
In-Reply-To: <20260203172045.1154546-1-jia.yao@intel.com>
When user provides a bogus pat_index value through the madvise IOCTL, the
xe_pat_index_get_coh_mode() function performs an array access without
validating bounds. This allows a malicious user to trigger an out-of-bounds
kernel read from the xe->pat.table array.
The vulnerability exists because the validation in madvise_args_are_sane()
directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without
first checking if pat_index is within [0, xe->pat.n_entries).
Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug
builds, it still performs the unsafe array access in production kernels.
v2(Matthew Auld)
- Using array_index_nospec() to mitigate spectre attacks when the value
is used
v3(Matthew Auld)
- Put the declarations at the start of the block
Fixes: ada7486c5668 ("drm/xe: Implement madvise ioctl for xe")
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Cc: <stable@vger.kernel.org> # v6.18+
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Shuicheng Lin <shuicheng.lin@intel.com>
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Signed-off-by: Jia Yao <jia.yao@intel.com>
---
drivers/gpu/drm/xe/xe_vm_madvise.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_vm_madvise.c b/drivers/gpu/drm/xe/xe_vm_madvise.c
index add9a6ca2390..091e450b781c 100644
--- a/drivers/gpu/drm/xe/xe_vm_madvise.c
+++ b/drivers/gpu/drm/xe/xe_vm_madvise.c
@@ -246,6 +246,10 @@ static int xe_vm_invalidate_madvise_range(struct xe_vm *vm, u64 start, u64 end)
static bool madvise_args_are_sane(struct xe_device *xe, const struct drm_xe_madvise *args)
{
+ s32 fd;
+ u16 pat_index;
+ u16 coh_mode;
+
if (XE_IOCTL_DBG(xe, !args))
return false;
@@ -261,7 +265,7 @@ static bool madvise_args_are_sane(struct xe_device *xe, const struct drm_xe_madv
switch (args->type) {
case DRM_XE_MEM_RANGE_ATTR_PREFERRED_LOC:
{
- s32 fd = (s32)args->preferred_mem_loc.devmem_fd;
+ fd = (s32)args->preferred_mem_loc.devmem_fd;
if (XE_IOCTL_DBG(xe, fd < DRM_XE_PREFERRED_LOC_DEFAULT_SYSTEM))
return false;
@@ -291,8 +295,11 @@ static bool madvise_args_are_sane(struct xe_device *xe, const struct drm_xe_madv
break;
case DRM_XE_MEM_RANGE_ATTR_PAT:
{
- u16 coh_mode = xe_pat_index_get_coh_mode(xe, args->pat_index.val);
+ if (XE_IOCTL_DBG(xe, args->pat_index.val >= xe->pat.n_entries))
+ return false;
+ pat_index = array_index_nospec(args->pat_index.val, xe->pat.n_entries);
+ coh_mode = xe_pat_index_get_coh_mode(xe, pat_index);
if (XE_IOCTL_DBG(xe, !coh_mode))
return false;
--
2.43.0
next prev parent reply other threads:[~2026-02-05 16:15 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-03 17:20 [PATCH] drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise Jia Yao
2026-02-03 17:27 ` ✓ CI.KUnit: success for " Patchwork
2026-02-03 17:29 ` [PATCH] " Matthew Auld
2026-02-03 18:02 ` ✗ Xe.CI.BAT: failure for " Patchwork
2026-02-03 21:06 ` [PATCH v2] " Jia Yao
2026-02-04 15:44 ` Matthew Auld
2026-02-04 18:15 ` Yao, Jia
2026-02-05 10:21 ` Matthew Auld
2026-02-03 21:14 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev2) Patchwork
2026-02-03 21:47 ` ✗ Xe.CI.BAT: failure " Patchwork
2026-02-03 22:33 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev3) Patchwork
2026-02-03 23:06 ` ✗ Xe.CI.BAT: failure " Patchwork
2026-02-04 13:05 ` ✗ Xe.CI.FULL: " Patchwork
2026-02-05 0:10 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev4) Patchwork
2026-02-05 0:43 ` ✓ Xe.CI.BAT: " Patchwork
2026-02-05 15:38 ` ✗ Xe.CI.FULL: failure " Patchwork
2026-02-05 16:15 ` Jia Yao [this message]
2026-02-05 16:30 ` [PATCH v3] drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise Matthew Auld
2026-02-05 16:22 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev5) Patchwork
2026-02-05 17:03 ` ✓ Xe.CI.BAT: " Patchwork
2026-02-06 15:19 ` ✗ Xe.CI.FULL: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260205161529.1819276-1-jia.yao@intel.com \
--to=jia.yao@intel.com \
--cc=himal.prasad.ghimiray@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.auld@intel.com \
--cc=matthew.brost@intel.com \
--cc=rodrigo.vivi@intel.com \
--cc=shuicheng.lin@intel.com \
--cc=stable@vger.kernel.org \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox