Re: [PATCH] drm/xe: Add bounds check for num_binds to prevent memory exhaustion

[Matthew Brost <matthew.brost@intel.com>]

On Thu, May 07, 2026 at 08:31:40AM +0200, Thomas Hellström wrote:
> On Wed, 2026-05-06 at 12:28 -0700, Matthew Brost wrote:
> > On Wed, May 06, 2026 at 11:36:36PM +0530, Ramesh Adhikari wrote:
> > > The xe_vm_bind_ioctl function accepts user-controlled num_binds
> > > without
> > > 
> > > bounds checking, allowing arbitrarily large memory allocations.
> > > This
> > > 
> > > follows the same vulnerability pattern that was fixed for num_syncs
> > > in
> > > 
> > > commit 8e461304009d ("drm/xe: Limit num_syncs to prevent huge
> > > allocations").
> > > 
> > 
> > The difference here is we issues kvmalloc (2G) vs kmalloc (4M) in the
> > sync case. So still possible a user triggers kvmalloc over 2G...
> > 
> > > Add DRM_XE_MAX_BINDS (1024) limit and validate num_binds before
> > > allocation,
> > > 
> > > matching the num_syncs fix pattern.
> > > 
> > > Similar unbounded allocations exist for num_mem_ranges and OA
> > > n_regs,
> > > 
> > > which should be addressed in follow-up patches.
> > > 
> > > Cc: stable@vger.kernel.org
> > > 
> > > Signed-off-by: Ramesh <adhikari.resume@gmail.com>
> > > ---
> > >  drivers/gpu/drm/xe/xe_vm.c | 5 +++++
> > >  include/uapi/drm/xe_drm.h  | 1 +
> > >  2 files changed, 6 insertions(+)
> > > 
> > > diff --git a/drivers/gpu/drm/xe/xe_vm.c
> > > b/drivers/gpu/drm/xe/xe_vm.c
> > > index a717a2b8dea..1ff66874f43 100644
> > > --- a/drivers/gpu/drm/xe/xe_vm.c
> > > +++ b/drivers/gpu/drm/xe/xe_vm.c
> > > @@ -3841,6 +3841,11 @@ int xe_vm_bind_ioctl(struct drm_device *dev,
> > > void *data, struct drm_file *file)
> > >  		return -EINVAL;
> > >  
> > >  	err = vm_bind_ioctl_check_args(xe, vm, args, &bind_ops);
> > > +
> > > +	if (XE_IOCTL_DBG(xe, args->num_binds > DRM_XE_MAX_BINDS))
> > > {
> > > +		err = -EINVAL;kvmalloc
> > > +		goto put_vm;
> > > +	}
> > 
> > We had something like this early Xe, IIRC, the max was 512 but we
> > found
> > for Vk / Mesa they will a huge number in an array of binds. So 1k
> > likely
> > isn't enough and this patch would be considered uAPI regression, so
> > this
> > as is a no go. Maybe we can figure out some reasonable upper bound
> > (64k,
> > 128k), idk.
> 
> IIRC we debated this back and forth. The challenging argument was that
> if we consume all memory we'd get an error back, which is sort of true
> but then we should've really made sure that all memory allocated was
> also accounted against the cgroup, with __GFP_ACCOUNT. We only did that
> for one large allocation.
> 
> But I think we made sure to avoid future regressions (functional, not
> performance) by requiring UMD to handle -ENOBUFS, meaning "split the
> array bind and retry". So whatever limit we come up with we should not
> return -EINVAL but -ENOBUFS. 

Yes, we can currently hit -ENOBUFS on large array of binds when we run
out space for instructions in batch buffers programming the bind and
Mesa gracefully handles this breaking down an array into individual
binds.

Matt 

> 
> Thanks,
> Thomas
> 
> 
> 
> > 
> > Matt
> > 
> > >  	if (err)
> > >  		goto put_vm;
> > >  
> > > diff --git a/include/uapi/drm/xe_drm.h b/include/uapi/drm/xe_drm.h
> > > index ae2fda23ce7..804ccb23b11 100644
> > > --- a/include/uapi/drm/xe_drm.h
> > > +++ b/include/uapi/drm/xe_drm.h
> > > @@ -1606,6 +1606,7 @@ struct drm_xe_exec {
> > >  	__u32 exec_queue_id;
> > >  
> > >  #define DRM_XE_MAX_SYNCS 1024
> > > +#define DRM_XE_MAX_BINDS 1024
> > >  	/** @num_syncs: Amount of struct drm_xe_sync in array. */
> > >  	__u32 num_syncs;
> > >  
> > > -- 
> > > 2.43.0
> > >