From: Harry Wentland <[email protected]>
[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.
Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.
Fixes: 2004f45ef83f ("drm/amd/display: Use kernel alloc/free")
Cc: [email protected]
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <[email protected]>
Signed-off-by: Harry Wentland <[email protected]>
Signed-off-by: Ray Wu <[email protected]>
---
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/basics/vector.c
b/drivers/gpu/drm/amd/display/dc/basics/vector.c
index d4dcc077854d..4162f1f0383b 100644
--- a/drivers/gpu/drm/amd/display/dc/basics/vector.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/vector.c
@@ -289,8 +289,8 @@ bool dal_vector_reserve(struct vector *vector, uint32_t
capacity)
if (capacity <= vector->capacity)
return true;
- new_container = krealloc(vector->container,
- capacity * vector->struct_size, GFP_KERNEL);
+ new_container = krealloc_array(vector->container,
+ capacity, vector->struct_size,
GFP_KERNEL);
if (new_container) {
vector->container = new_container;
--
2.43.0
