drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()

[ Upstream commit 8a70a26c9f34baea6c3199a9862ddaff4554a96d ] The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation. Signed-off-by: Sunday Clement <Sunday.Clement@amd.com> Reviewed-by: Alexander Deucher <Alexander.Deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Sunday Clement <Sunday.Clement@amd.com> 2026-02-02 12:41:39 -0500
committer: Sasha Levin <sashal@kernel.org> 2026-03-04 07:20:34 -0500
commit: de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f (patch)
tree: cd34cda1b1a14b1e4b23d1e7846aa02f88f82386 /drivers/gpu
parent: c78a5b94451d1c48162e8a21056ed438ec28f9bc (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
index 8b5c82af2acd..5b8f665e033b 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
@@ -303,6 +303,12 @@ int kfd_event_page_set(struct kfd_process *p, void *kernel_address,
 	if (p->signal_page)
 		return -EBUSY;
 
+	if (size < KFD_SIGNAL_EVENT_LIMIT * 8) {
+		pr_err("Event page size %llu is too small, need at least %lu bytes\n",
+				size, (unsigned long)(KFD_SIGNAL_EVENT_LIMIT * 8));
+		return -EINVAL;
+	}
+
 	page = kzalloc(sizeof(*page), GFP_KERNEL);
 	if (!page)
 		return -ENOMEM;
author	Sunday Clement <Sunday.Clement@amd.com>	2026-02-02 12:41:39 -0500
committer	Sasha Levin <sashal@kernel.org>	2026-03-04 07:20:34 -0500
commit	de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f (patch)
tree	cd34cda1b1a14b1e4b23d1e7846aa02f88f82386 /drivers/gpu
parent	c78a5b94451d1c48162e8a21056ed438ec28f9bc (diff)