From 04c9db8ff7516f2e9b2aee8c1f8e06cd2eadd901 Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Fri, 20 Mar 2026 00:02:55 +0000
Subject: [PATCH] drm/amdgpu: add upper bound check on user inputs in signal
 ioctl

From Sunil Khatri
6fff5204d8aa26b1be50b6427f833bd3e8899c4f in linux-6.18.y/6.18.19
ea78f8c68f4f6211c557df49174c54d167821962 in mainline linux
---
 sys/dev/pci/drm/amd/amdgpu/amdgpu_userq_fence.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_userq_fence.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_userq_fence.c
index c900046ba99..409f5ba6aec 100644
--- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -35,6 +35,8 @@
 static const struct dma_fence_ops amdgpu_userq_fence_ops;
 static struct pool amdgpu_userq_fence_slab;
 
+#define AMDGPU_USERQ_MAX_HANDLES	(1U << 16)
+
 int amdgpu_userq_fence_slab_init(void)
 {
 #ifdef __linux__
@@ -497,6 +499,11 @@ int amdgpu_userq_signal_ioctl(struct drm_device *dev, void *data,
 	if (!amdgpu_userq_enabled(dev))
 		return -ENOTSUPP;
 
+	if (args->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||
+	    args->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+	    args->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+		return -EINVAL;
+
 	num_syncobj_handles = args->num_syncobj_handles;
 	syncobj_handles = memdup_user(u64_to_user_ptr(args->syncobj_handles),
 				      size_mul(sizeof(u32), num_syncobj_handles));