drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger

get_queue_ids() computes array_size = num_queues * sizeof(uint32_t), which could overflow on 32-bit size_t build. using array_size() instead, it saturates to SIZE_MAX on overflow. Signed-off-by: Eric Huang <jinhuieric.huang@amd.com> Acked-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
author: Eric Huang <jinhuieric.huang@amd.com> 2026-05-12 10:19:52 -0400
committer: Alex Deucher <alexander.deucher@amd.com> 2026-05-27 10:48:39 -0400
commit: 2d57a0475f085c08b49312dfd8edcb461845f285 (patch)
tree: 60c7450af9fbec45ef11268d9a51f7c48eae4fd8
parent: eb53125a7ad99c7fc2f249bffdc561afa002a46c (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index 5cba592ba941..cbd6fe8340f7 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -3477,12 +3477,14 @@ static void copy_context_work_handler(struct work_struct *work)
 
 static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t *usr_queue_id_array)
 {
-	size_t array_size = num_queues * sizeof(uint32_t);
-
 	if (!usr_queue_id_array)
 		return NULL;
 
-	return memdup_user(usr_queue_id_array, array_size);
+	if (num_queues > KFD_MAX_NUM_OF_QUEUES_PER_PROCESS)
+		return ERR_PTR(-EINVAL);
+
+	return memdup_user(usr_queue_id_array,
+			   array_size(num_queues, sizeof(uint32_t)));
 }
 
 int resume_queues(struct kfd_process *p,
author	Eric Huang <jinhuieric.huang@amd.com>	2026-05-12 10:19:52 -0400
committer	Alex Deucher <alexander.deucher@amd.com>	2026-05-27 10:48:39 -0400
commit	2d57a0475f085c08b49312dfd8edcb461845f285 (patch)
tree	60c7450af9fbec45ef11268d9a51f7c48eae4fd8
parent	eb53125a7ad99c7fc2f249bffdc561afa002a46c (diff)