From: Matthew Auld <matthew.auld@intel.com>
To: Jia Yao <jia.yao@intel.com>, intel-xe@lists.freedesktop.org
Subject: Re: [PATCH] drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise
Date: Tue, 3 Feb 2026 17:29:31 +0000 [thread overview]
Message-ID: <e8ff4878-7720-4151-ab6a-8294145c8bff@intel.com> (raw)
In-Reply-To: <20260203172045.1154546-1-jia.yao@intel.com>
On 03/02/2026 17:20, Jia Yao wrote:
> When user provides a bogus pat_index value through the madvise IOCTL, the
> xe_pat_index_get_coh_mode() function performs an array access without
> validating bounds. This allows a malicious user to trigger an out-of-bounds
> kernel read from the xe->pat.table array.
>
> The vulnerability exists because the validation in madvise_args_are_sane()
> directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without
> first checking if pat_index is within [0, xe->pat.n_entries).
>
> Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug
> builds, it still performs the unsafe array access in production kernels.
>
> Fix this by adding an explicit bounds check before calling the function,
> similar to other IOCTL parameter validations. This prevents malicious
> userspace from reading arbitrary kernel memory.
>
> Fixes: ada7486c5668 ("drm/xe: Implement madvise ioctl for xe")
> Cc: Matthew Auld <matthew.auld@intel.com>
> Signed-off-by: Jia Yao <jia.yao@intel.com>
Cc: <stable@vger.kernel.org> # v6.18+
You can use "dim fixes <commit-id>" to get the right tags.
> ---
> drivers/gpu/drm/xe/xe_vm_madvise.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/xe/xe_vm_madvise.c b/drivers/gpu/drm/xe/xe_vm_madvise.c
> index add9a6ca2390..c109f9adf6fb 100644
> --- a/drivers/gpu/drm/xe/xe_vm_madvise.c
> +++ b/drivers/gpu/drm/xe/xe_vm_madvise.c
> @@ -291,6 +291,9 @@ static bool madvise_args_are_sane(struct xe_device *xe, const struct drm_xe_madv
> break;
> case DRM_XE_MEM_RANGE_ATTR_PAT:
> {
> + if (XE_IOCTL_DBG(xe, args->pat_index.val >= xe->pat.n_entries))
> + return false;
> +
I think we are meant to use array_index_nospec() also? We have the same
check for vm_bind, so you can use that as an example.
> u16 coh_mode = xe_pat_index_get_coh_mode(xe, args->pat_index.val);
>
> if (XE_IOCTL_DBG(xe, !coh_mode))
next prev parent reply other threads:[~2026-02-03 17:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-03 17:20 [PATCH] drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise Jia Yao
2026-02-03 17:27 ` ✓ CI.KUnit: success for " Patchwork
2026-02-03 17:29 ` Matthew Auld [this message]
2026-02-03 18:02 ` ✗ Xe.CI.BAT: failure " Patchwork
2026-02-03 21:06 ` [PATCH v2] " Jia Yao
2026-02-04 15:44 ` Matthew Auld
2026-02-04 18:15 ` Yao, Jia
2026-02-05 10:21 ` Matthew Auld
2026-02-03 21:14 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev2) Patchwork
2026-02-03 21:47 ` ✗ Xe.CI.BAT: failure " Patchwork
2026-02-03 22:33 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev3) Patchwork
2026-02-03 23:06 ` ✗ Xe.CI.BAT: failure " Patchwork
2026-02-04 13:05 ` ✗ Xe.CI.FULL: " Patchwork
2026-02-05 0:10 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev4) Patchwork
2026-02-05 0:43 ` ✓ Xe.CI.BAT: " Patchwork
2026-02-05 15:38 ` ✗ Xe.CI.FULL: failure " Patchwork
2026-02-05 16:15 ` [PATCH v3] drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise Jia Yao
2026-02-05 16:30 ` Matthew Auld
2026-02-05 16:22 ` ✓ CI.KUnit: success for drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise (rev5) Patchwork
2026-02-05 17:03 ` ✓ Xe.CI.BAT: " Patchwork
2026-02-06 15:19 ` ✗ Xe.CI.FULL: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e8ff4878-7720-4151-ab6a-8294145c8bff@intel.com \
--to=matthew.auld@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=jia.yao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox