On Tue, May 12, 2026 at 11:24 AM Eric Huang <[email protected]> wrote: > > get_queue_ids() computes array_size = num_queues * sizeof(uint32_t), > which could overflow on 32-bit size_t build. using array_size() > instead, it saturates to SIZE_MAX on overflow. > > Signed-off-by: Eric Huang <[email protected]>
Acked-by: Alex Deucher <[email protected]> > --- > drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > index 2e6923528342..b34f29501ff8 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > @@ -3468,12 +3468,14 @@ static void copy_context_work_handler(struct > work_struct *work) > > static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t > *usr_queue_id_array) > { > - size_t array_size = num_queues * sizeof(uint32_t); > - > if (!usr_queue_id_array) > return NULL; > > - return memdup_user(usr_queue_id_array, array_size); > + if (num_queues > KFD_MAX_NUM_OF_QUEUES_PER_PROCESS) > + return ERR_PTR(-EINVAL); > + > + return memdup_user(usr_queue_id_array, > + array_size(num_queues, sizeof(uint32_t))); > } > > int resume_queues(struct kfd_process *p, > -- > 2.34.1 >
