From: "Christian König" <christian.koenig@amd.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Fedor Pchelkin <pchelkin@ispras.ru>
Cc: Denis Arefev <arefev@swemel.ru>,
Alex Deucher <alexander.deucher@amd.com>,
Simona Vetter <simona@ffwll.ch>,
lvc-project@linuxtesting.org, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org, amd-gfx@lists.freedesktop.org,
David Airlie <airlied@gmail.com>
Subject: Re: [lvc-project] [PATCH] drm/amdgpu: check a user-provided number of BOs in list
Date: Wed, 9 Apr 2025 09:29:47 +0200 [thread overview]
Message-ID: <437e12e2-ac0d-4a97-bd55-39ee03979526@amd.com> (raw)
In-Reply-To: <CAHk-=whLixL8-iYt1qH0-YvEnVsYtryZaN5Da0qoBBhKsBnumw@mail.gmail.com>
Am 09.04.25 um 04:39 schrieb Linus Torvalds:
> On Tue, 8 Apr 2025 at 09:07, Fedor Pchelkin <pchelkin@ispras.ru> wrote:
>>> Linus comment is about kvmalloc(), but the code here is using
>>> kvmalloc_array() which as far as I know is explicitly made to safely
>>> allocate arrays with parameters provided by userspace.
> No.
>
> ABSOLUTELY NOTHING CAN ALLOCATE ARRAYS WITH PARAMETERS PROVIDED BY USER SPACE.
>
> All kvmalloc_array() does is to check for overflow on the multiplication.
>
> That does *not* mean that you can then just blindly take user space
> input and pass it to kvmalloc_array().
>
> That could easily cause the machine to run out of memory immediately,
> for example. Or just cause huge latency issues. Or any number of other
> things.
>
>> [27651.163361] WARNING: CPU: 3 PID: 183060 at mm/util.c:657 __kvmalloc_node_noprof+0xc1/0xd0
>> [27651.163411] CPU: 3 UID: 0 PID: 183060 Comm: a.out Not tainted 6.13.9-200.fc41.x86_64 #1
>> [27651.163412] Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024
>> [27651.163413] RIP: 0010:__kvmalloc_node_noprof+0xc1/0xd0
>> [27651.163424] Call Trace:
>> That's just
>>
>> union drm_amdgpu_bo_list bo_list;
>> int fd, ret;
>>
>> memset(&bo_list, 0, sizeof(bo_list));
>>
>> fd = open(DEVICE_PATH, O_RDWR);
>>
>> bo_list.in.bo_number = 1 << 31;
>> ret = ioctl(fd, DRM_IOCTL_AMDGPU_BO_LIST, &bo_list);
> Yes, exactly, and that's bogus code in the DRM layer to just blindly
> trust user space.
>
> User space input absolutely has to be validated for sanity.
That's what I totally agree on. My question is rather is it better to do this in a centralized function or spread out over tons of different use cases?
I mean open coding the limit checks everywhere certainly works, but as far as I can see it would be more defensive if we do that inside kvmalloc_array().
Or maybe a separate function which takes a maximum as parameter?
BTW we have been running into the kvmalloc() check on valid use cases as well. For example on a system with a >256TiB of system memory having a single descriptor array >4GiB is perfectly valid. It's just not valid in any possible way if you only have 8GiB in total.
In the past we worked around that by switching to multiple smaller allocations or different container types, but that is actually not the most optimal way of doing it.
Regards,
Christian.
>
> There's a very real reason why we have things like PATH_MAX.
>
> Could we allocate any amount of memory for user paths, with the
> argument that path length shouldn't be limited to some (pretty small)
> number?
>
> Sure. We *could* do that.
>
> And that would be a huge mistake. Limiting and sanity-checking user
> space arguments isn't just a good idea - it's an absolute requirement.
>
> So that kvmalloc warning exists *exactly* so that you will get a
> warning if you do something stupid like just blindly trust user space.
>
> Because no, "doesn't overflow" isn't even remotely a valid limit. A
> real limit on memory allocations - and most other things, for that
> matter - needs to be about practical real issues, not about something
> like "this doesn't overflow".
>
> Linus
next prev parent reply other threads:[~2025-04-09 7:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-08 9:17 [PATCH] drm/amdgpu: check a user-provided number of BOs in list Denis Arefev
2025-04-08 9:26 ` Christian König
2025-04-08 9:39 ` [lvc-project] " Fedor Pchelkin
2025-04-08 11:37 ` Christian König
2025-04-08 11:54 ` Fedor Pchelkin
[not found] ` <edc08eb4-63dd-402c-82df-af6898d499a9@amd.com>
2025-04-08 16:07 ` Fedor Pchelkin
2025-04-09 2:39 ` Linus Torvalds
2025-04-09 7:29 ` Christian König [this message]
2025-04-09 17:27 ` Linus Torvalds
2025-04-10 9:07 ` Christian König
2025-04-13 11:31 ` Fedor Pchelkin
2025-04-14 9:35 ` Christian König
2025-04-14 9:27 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=437e12e2-ac0d-4a97-bd55-39ee03979526@amd.com \
--to=christian.koenig@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=arefev@swemel.ru \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=pchelkin@ispras.ru \
--cc=simona@ffwll.ch \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox