diff options
| author | Ziyi Guo <n7l8m4@u.northwestern.edu> | 2026-02-08 00:02:55 +0000 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2026-05-27 11:55:06 -0400 |
| commit | a1ba4594232c87c3b8defd6f89a2e40f8b08395d (patch) | |
| tree | f023ce8844f6e4342b5f08beaa072e890481b555 /scripts/objdiff | |
| parent | 2e7f55eb408c3f72ee1957a0d0ad11d8648a6379 (diff) | |
drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL) at
amdgpu_gem.c:1050 uses the user-supplied num_entries directly without
any upper bounds check. Since num_entries is a __u32 and
sizeof(drm_amdgpu_gem_vm_entry) is 32 bytes, a large num_entries
produces an allocation exceeding INT_MAX, triggering
WARNING in __kvmalloc_node_noprof(), causing a kernel WARNING,
TAINT_WARN, and panic on CONFIG_PANIC_ON_WARN=y systems.
Add a size bounds check before we invoke the kvzalloc() to
reject oversized num_entries early with -EINVAL.
Fixes: 4d82724f7f2b ("drm/amdgpu: Add mapping info option for GEM_OP ioctl")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1fe7bf5457f6efd7be60b17e23163ba54341d73d)
Cc: stable@vger.kernel.org
Diffstat (limited to 'scripts/objdiff')
0 files changed, 0 insertions, 0 deletions