From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/v3d: Limit ioctl extension chain depth to prevent infinite loop Date: Sun, 12 Apr 2026 10:35:51 +1000 Message-ID: In-Reply-To: <20260410013907.2404175-1-ashutoshdesai993@gmail.com> References: <20260410013907.2404175-1-ashutoshdesai993@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: drm/v3d: Limit ioctl extension chain depth to prevent infinite loop Author: Ashutosh Desai Patches: 2 Reviewed: 2026-04-12T10:35:51.967853 --- This is a single-patch fix for a real denial-of-service vulnerability in th= e V3D DRM driver. A userspace process can craft a self-referential ioctl ex= tension chain (where `ext->next` points back to the extension itself) that = causes `v3d_get_extensions()` to loop infinitely in kernel context, permane= ntly pegging a CPU core. The vulnerability analysis in the commit message is correct. The existing "= duplicate guard" in `v3d_get_multisync_submit_deps()` (line 391) only check= s `se->in_sync_count || se->out_sync_count`, and `v3d_get_multisync_post_de= ps()` returns immediately at line 340 when `count` is 0 without ever settin= g `se->out_sync_count`. So a crafted extension with `DRM_V3D_EXT_ID_MULTI_S= YNC`, zero sync counts, and `next` pointing to itself will loop forever. The fix is sound in principle =E2=80=94 adding a depth limit is the standar= d defense used by both i915 (512) and xe (16). However, there are several i= ssues that should be addressed before merging. --- Generated by Claude Code Patch Reviewer