Applied. Thanks!
On Mon, Feb 9, 2026 at 5:37 AM Ziyi Guo <[email protected]> wrote: > > kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL) at > amdgpu_gem.c:1050 uses the user-supplied num_entries directly without > any upper bounds check. Since num_entries is a __u32 and > sizeof(drm_amdgpu_gem_vm_entry) is 32 bytes, a large num_entries > produces an allocation exceeding INT_MAX, triggering > WARNING in __kvmalloc_node_noprof(), causing a kernel WARNING, > TAINT_WARN, and panic on CONFIG_PANIC_ON_WARN=y systems. > > Add a size bounds check before we invoke the kvzalloc() to > reject oversized num_entries early with -EINVAL. > > Fixes: 4d82724f7f2b ("drm/amdgpu: Add mapping info option for GEM_OP ioctl") > Signed-off-by: Ziyi Guo <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c > index 3e38c5db2987..ef5d8bd216b2 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c > @@ -1047,6 +1047,11 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void > *data, > * If that number is larger than the size of the array, the > ioctl must > * be retried. > */ > + if (args->num_entries > INT_MAX / sizeof(*vm_entries)) { > + r = -EINVAL; > + goto out_exec; > + } > + > vm_entries = kvcalloc(args->num_entries, sizeof(*vm_entries), > GFP_KERNEL); > if (!vm_entries) > return -ENOMEM; > -- > 2.34.1 >
