The amdgpu_sched_hw_submission parameter controls the number of hardware jobs that can be scheduled concurrently per ring. This value is later multiplied by ring->max_dw to compute buffer offsets or command patch regions.

If amdgpu_sched_hw_submission is set too high (by user input via module parameter), the multiplication can overflow, resulting in corrupted memory offsets or ring buffer overflows.

Clamp amdgpu_sched_hw_submission to a practical upper bound (e.g. 2^16) to prevent arithmetic overflow when computing ring buffer offsets during initialization, especially in jpeg_v1_0_start().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Cc: stable@vger.kernel.org # v5.9+ Fixes: 5d5bd5e32e6e ("drm/amdgpu: restrict the hw sched jobs number to power of two") Signed-off-by: Alexey Nepomnyashih sdl@nppct.ru --- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index 018dfccd771b..69217a021b0e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -2056,6 +2056,10 @@ static int amdgpu_device_check_arguments(struct amdgpu_device *adev) dev_warn(adev->dev, "sched hw submission jobs (%d) must be at least 2\n", amdgpu_sched_hw_submission); amdgpu_sched_hw_submission = 2; + } else if (amdgpu_sched_hw_submission > 65536) { + dev_warn(adev->dev, "sched hw submission jobs (%d) is too large\n", + amdgpu_sched_hw_submission); + amdgpu_sched_hw_submission = 65536; } else if (!is_power_of_2(amdgpu_sched_hw_submission)) { dev_warn(adev->dev, "sched hw submission jobs (%d) must be a power of 2\n", amdgpu_sched_hw_submission);