[PATCH] drm/lease: cap object_count to avoid order > MAX_PAGE_ORDER warning
2 views
Skip to first unread message
David Carlier
May 26, 2026, 2:28:32 AM (yesterday) May 26
to Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann, David Airlie, Simona Vetter, Dave Airlie, Keith Packard, dri-...@lists.freedesktop.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, syzbot+5d32c8...@syzkaller.appspotmail.com, David Carlier
cl->object_count comes from userspace unbounded and reaches
kzalloc_objs() in fill_object_idr(); a large value trips
WARN_ON_ONCE_GFP in __alloc_frozen_pages_noprof(), letting a DRM
master produce a kernel splat.
Bound object_count at the ioctl entry so the page allocator is
never asked for an absurd order.
Reported-by: syzbot+5d32c8...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d32c8bd82427f9c77cc
Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Signed-off-by: David Carlier <devn...@gmail.com>
---
drivers/gpu/drm/drm_lease.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 5d2cf724cbd7..bdec759187d9 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -466,6 +466,13 @@ static int fill_object_idr(struct drm_device *dev,
return ret;
}
+/*
+ * Upper bound on the number of objects a single lease can reference.
+ * Real workloads use a handful; this is set well above any plausible
+ * value to avoid kmalloc requests that would exceed MAX_PAGE_ORDER.
+ */
+#define DRM_MAX_LEASE_OBJECTS 4096
+
/*
* The master associated with the specified file will have a lease
* created containing the objects specified in the ioctl structure.
@@ -505,6 +512,12 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
}
object_count = cl->object_count;
+ if (unlikely(object_count > DRM_MAX_LEASE_OBJECTS)) {
+ drm_dbg_lease(dev, "object_count %zu exceeds max %u\n",
+ object_count, DRM_MAX_LEASE_OBJECTS);
+ ret = -EINVAL;
+ goto out_lessor;
+ }
/* Handle leased objects, if any */
idr_init(&leases);
--
2.53.0
kzalloc_objs() in fill_object_idr(); a large value trips
WARN_ON_ONCE_GFP in __alloc_frozen_pages_noprof(), letting a DRM
master produce a kernel splat.
Bound object_count at the ioctl entry so the page allocator is
never asked for an absurd order.
Reported-by: syzbot+5d32c8...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d32c8bd82427f9c77cc
Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Signed-off-by: David Carlier <devn...@gmail.com>
---
drivers/gpu/drm/drm_lease.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 5d2cf724cbd7..bdec759187d9 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -466,6 +466,13 @@ static int fill_object_idr(struct drm_device *dev,
return ret;
}
+/*
+ * Upper bound on the number of objects a single lease can reference.
+ * Real workloads use a handful; this is set well above any plausible
+ * value to avoid kmalloc requests that would exceed MAX_PAGE_ORDER.
+ */
+#define DRM_MAX_LEASE_OBJECTS 4096
+
/*
* The master associated with the specified file will have a lease
* created containing the objects specified in the ioctl structure.
@@ -505,6 +512,12 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
}
object_count = cl->object_count;
+ if (unlikely(object_count > DRM_MAX_LEASE_OBJECTS)) {
+ drm_dbg_lease(dev, "object_count %zu exceeds max %u\n",
+ object_count, DRM_MAX_LEASE_OBJECTS);
+ ret = -EINVAL;
+ goto out_lessor;
+ }
/* Handle leased objects, if any */
idr_init(&leases);
--
2.53.0
Reply all
Reply to author
Forward
0 new messages