* [PATCH] drm: amd: Use kmalloc_array to prevent overflow of dynamic size calculation
@ 2025-10-02 2:22 Bhanu Seshu Kumar Valluri
2025-10-02 23:19 ` kernel test robot
0 siblings, 1 reply; 2+ messages in thread
From: Bhanu Seshu Kumar Valluri @ 2025-10-02 2:22 UTC (permalink / raw)
To: Alex Deucher, Christian König, David Airlie, Simona Vetter,
Harry Wentland, Leo Li, Rodrigo Siqueira, Tao Zhou, Hawking Zhang,
ganglxie, Lijo Lazar, Candice Li, Victor Skvortsov, Roman Li,
Alvin Lee, Karthi Kandasamy, David Rosca, Marek Olšák,
Jocelyn Falempe, André Almeida, Mario Limonciello
Cc: amd-gfx, dri-devel, linux-kernel, khalid, linux-kernel-mentees,
skhan, david.hunter.linux, bhanuseshukumar
Use kmalloc_array to avoid potential overflow during dynamic size calculation
inside kmalloc.
Signed-off-by: Bhanu Seshu Kumar Valluri <bhanuseshukumar@gmail.com>
---
Note:
Patch is verified for compilation.
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 4 ++--
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index 540817e296da..642addf70466 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -2566,7 +2566,7 @@ static int amdgpu_ras_badpages_read(struct amdgpu_device *adev,
goto out;
}
- *bps = kmalloc(sizeof(struct ras_badpage) * data->count, GFP_KERNEL);
+ *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
if (!*bps) {
ret = -ENOMEM;
goto out;
@@ -2722,7 +2722,7 @@ static int amdgpu_ras_realloc_eh_data_space(struct amdgpu_device *adev,
unsigned int old_space = data->count + data->space_left;
unsigned int new_space = old_space + pages;
unsigned int align_space = ALIGN(new_space, 512);
- void *bps = kmalloc(align_space * sizeof(*data->bps), GFP_KERNEL);
+ void *bps = kmalloc_array(align_space, sizeof(*data->bps), GFP_KERNEL);
if (!bps) {
return -ENOMEM;
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index 3d2f8eedeef2..e027798ece03 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -146,7 +146,7 @@ static void amdgpu_dm_plane_add_modifier(uint64_t **mods, uint64_t *size, uint64
if (*cap - *size < 1) {
uint64_t new_cap = *cap * 2;
- uint64_t *new_mods = kmalloc(new_cap * sizeof(uint64_t), GFP_KERNEL);
+ uint64_t *new_mods = kmalloc_array(new_cap, sizeof(uint64_t), GFP_KERNEL);
if (!new_mods) {
kfree(*mods);
@@ -732,7 +732,7 @@ static int amdgpu_dm_plane_get_plane_modifiers(struct amdgpu_device *adev, unsig
if (adev->family < AMDGPU_FAMILY_AI)
return 0;
- *mods = kmalloc(capacity * sizeof(uint64_t), GFP_KERNEL);
+ *mods = kmalloc_array(capacity, sizeof(uint64_t), GFP_KERNEL);
if (plane_type == DRM_PLANE_TYPE_CURSOR) {
amdgpu_dm_plane_add_modifier(mods, &size, &capacity, DRM_FORMAT_MOD_LINEAR);
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] drm: amd: Use kmalloc_array to prevent overflow of dynamic size calculation
2025-10-02 2:22 [PATCH] drm: amd: Use kmalloc_array to prevent overflow of dynamic size calculation Bhanu Seshu Kumar Valluri
@ 2025-10-02 23:19 ` kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2025-10-02 23:19 UTC (permalink / raw)
To: Bhanu Seshu Kumar Valluri, Alex Deucher, Christian König,
David Airlie, Simona Vetter, Harry Wentland, Leo Li,
Rodrigo Siqueira, Tao Zhou, Hawking Zhang, ganglxie, Lijo Lazar,
Candice Li, Victor Skvortsov, Roman Li, Alvin Lee,
Karthi Kandasamy, David Rosca, Marek Olšák,
Jocelyn Falempe, André Almeida, Mario Limonciello
Cc: oe-kbuild-all, amd-gfx, dri-devel, linux-kernel, khalid,
linux-kernel-mentees, skhan, david.hunter.linux, bhanuseshukumar
Hi Bhanu,
kernel test robot noticed the following build warnings:
[auto build test WARNING on amd-pstate/linux-next]
[also build test WARNING on amd-pstate/bleeding-edge v6.17]
[cannot apply to linus/master next-20251002]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Bhanu-Seshu-Kumar-Valluri/drm-amd-Use-kmalloc_array-to-prevent-overflow-of-dynamic-size-calculation/20251002-102458
base: https://git.kernel.org/pub/scm/linux/kernel/git/superm1/linux.git linux-next
patch link: https://lore.kernel.org/r/20251002022241.77823-1-bhanuseshukumar%40gmail.com
patch subject: [PATCH] drm: amd: Use kmalloc_array to prevent overflow of dynamic size calculation
config: x86_64-randconfig-003-20251003 (https://download.01.org/0day-ci/archive/20251003/202510030646.pqNWfKQ0-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251003/202510030646.pqNWfKQ0-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510030646.pqNWfKQ0-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/linux/percpu.h:5,
from arch/x86/include/asm/msr.h:16,
from arch/x86/include/asm/tsc.h:11,
from arch/x86/include/asm/timex.h:6,
from include/linux/timex.h:67,
from include/linux/time32.h:13,
from include/linux/time.h:60,
from include/linux/stat.h:19,
from include/linux/fs.h:11,
from include/linux/debugfs.h:15,
from drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:24:
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c: In function 'amdgpu_ras_badpages_read':
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: warning: 'kmalloc_array_noprof' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:239:16: note: in definition of macro 'alloc_hooks_tag'
239 | typeof(_do_alloc) _res; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: note: earlier argument should specify number of elements, later size of each element
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:239:16: note: in definition of macro 'alloc_hooks_tag'
239 | typeof(_do_alloc) _res; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: warning: 'kmalloc_array_noprof' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:243:24: note: in definition of macro 'alloc_hooks_tag'
243 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: note: earlier argument should specify number of elements, later size of each element
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:243:24: note: in definition of macro 'alloc_hooks_tag'
243 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: warning: 'kmalloc_array_noprof' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:246:24: note: in definition of macro 'alloc_hooks_tag'
246 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: note: earlier argument should specify number of elements, later size of each element
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:246:24: note: in definition of macro 'alloc_hooks_tag'
246 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
vim +2569 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
2546
2547 /* return 0 on success.
2548 * caller need free bps.
2549 */
2550 static int amdgpu_ras_badpages_read(struct amdgpu_device *adev,
2551 struct ras_badpage **bps, unsigned int *count)
2552 {
2553 struct amdgpu_ras *con = amdgpu_ras_get_context(adev);
2554 struct ras_err_handler_data *data;
2555 int i = 0;
2556 int ret = 0, status;
2557
2558 if (!con || !con->eh_data || !bps || !count)
2559 return -EINVAL;
2560
2561 mutex_lock(&con->recovery_lock);
2562 data = con->eh_data;
2563 if (!data || data->count == 0) {
2564 *bps = NULL;
2565 ret = -EINVAL;
2566 goto out;
2567 }
2568
> 2569 *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
2570 if (!*bps) {
2571 ret = -ENOMEM;
2572 goto out;
2573 }
2574
2575 for (; i < data->count; i++) {
2576 (*bps)[i] = (struct ras_badpage){
2577 .bp = data->bps[i].retired_page,
2578 .size = AMDGPU_GPU_PAGE_SIZE,
2579 .flags = AMDGPU_RAS_RETIRE_PAGE_RESERVED,
2580 };
2581 status = amdgpu_vram_mgr_query_page_status(&adev->mman.vram_mgr,
2582 data->bps[i].retired_page << AMDGPU_GPU_PAGE_SHIFT);
2583 if (status == -EBUSY)
2584 (*bps)[i].flags = AMDGPU_RAS_RETIRE_PAGE_PENDING;
2585 else if (status == -ENOENT)
2586 (*bps)[i].flags = AMDGPU_RAS_RETIRE_PAGE_FAULT;
2587 }
2588
2589 *count = data->count;
2590 out:
2591 mutex_unlock(&con->recovery_lock);
2592 return ret;
2593 }
2594
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-02 23:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-02 2:22 [PATCH] drm: amd: Use kmalloc_array to prevent overflow of dynamic size calculation Bhanu Seshu Kumar Valluri
2025-10-02 23:19 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox