The KFD CRIU restore flow restores previously saved object IDs from
userspace.
For event restore:
kfd_criu_restore_event()
-> create_signal_event() / create_other_event()
-> allocate_event_notification_slot()
-> idr_alloc(..., *restore_id, *restore_id + 1, ...)
For BO restore:
criu_restore_memory_of_gpu()
-> idr_alloc(..., bo_priv->idr_handle, ...)
In both cases, the restored ID comes from userspace-provided CRIU data.
idr_alloc() expects the ID range values to fit within signed int
limits. If a restored ID is larger than INT_MAX, it can trigger a WARN
in the IDR layer.
A kernel WARN is undesirable because it prints a warning trace and may
cause a panic or reboot on systems with panic_on_warn enabled.
Smatch reported these paths as allowing unchecked userspace values to
reach idr_alloc().
Add INT_MAX validation before using restored IDs in:
- kfd_criu_restore_event()
- criu_restore_memory_of_gpu()
If the restored ID is invalid, return -EINVAL.
This prevents invalid restore data from reaching the IDR layer and
avoids WARN-triggering paths, while keeping valid restore behavior
unchanged.
Fixes: 40e8a766a761 ("drm/amdkfd: CRIU checkpoint and restore events")
Reported-by: Dan Carpenter <error27@gmail.com>
Cc: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: David Yat Sin <david.yatsin@amd.com>
Cc: Rajneesh Bhardwaj <rajneesh.bhardwaj@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: David Yat Sin <david.yatsin@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
const bool criu_resume = true;
u64 offset;
+ if (bo_priv->idr_handle > INT_MAX)
+ return -EINVAL;
+
if (bo_bucket->alloc_flags & KFD_IOC_ALLOC_MEM_FLAGS_DOORBELL) {
if (bo_bucket->size !=
kfd_doorbell_process_slice(pdd->dev->kfd))
}
*priv_data_offset += sizeof(*ev_priv);
+ if (ev_priv->event_id > INT_MAX) {
+ ret = -EINVAL;
+ goto exit;
+ }
+
if (ev_priv->user_handle) {
ret = kfd_kmap_event_page(p, ev_priv->user_handle);
if (ret)