Recently, a vulnerability has been resolved in the Linux kernel within the drm/amdgpu driver. The vulnerability is related to setting the right AMDGPU sg segment limitation. The issue occurred when the driver did not set the correct max_segment_size, causing the debug_dma_map_sg() function to complain about the over-mapping of the AMDGPU sg length. The warning message that appears is shown in the code snippet below:
WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+x2dc/x370
[ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched...
...
---truncated---
The fix for this issue lies in setting the right max_segment_size within the driver. The complete details of the vulnerability, along with the relevant code snippets and links to the original references, are provided below.
Exploit Details
- Vulnerability: Incorrect setting of max_segment_size in the drm/amdgpu driver
- References
- Original report: linux-commits
- Related discussions: thread
The code snippet below shows the change made to fix the issue
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.cg b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index de15ba82efd..e481c6bef2a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -3703,6 +3703,8 @@ void amdgpu_device_init(struct amdgpu_device *adev,
if (!device->pdev)
return;
+ dma_set_max_seg_size(&device->pdev->dev, UINT_MAX);
+
amdgpu_device_check_sbrn(adev);
/* Restore some register to avoid hang */
By setting the correct max_segment_size, the driver now avoids the issue of over-mapping the AMDGPU sg length and reduces the risk of potential crashes or other unexpected behaviors caused by this vulnerability.
If you're using an affected version of the Linux kernel with the drm/amdgpu driver, it is recommended that you update your kernel to the latest version and apply the necessary patches to resolve this vulnerability.
Timeline
Published on: 12/27/2024 15:15:18 UTC
Last modified on: 05/04/2025 09:59:17 UTC