drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 4 ++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
Use kmalloc_array to avoid potential overflow during dynamic size calculation
inside kmalloc.
Signed-off-by: Bhanu Seshu Kumar Valluri <bhanuseshukumar@gmail.com>
---
Note:
Patch is verified for compilation.
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 4 ++--
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index 540817e296da..642addf70466 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -2566,7 +2566,7 @@ static int amdgpu_ras_badpages_read(struct amdgpu_device *adev,
goto out;
}
- *bps = kmalloc(sizeof(struct ras_badpage) * data->count, GFP_KERNEL);
+ *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
if (!*bps) {
ret = -ENOMEM;
goto out;
@@ -2722,7 +2722,7 @@ static int amdgpu_ras_realloc_eh_data_space(struct amdgpu_device *adev,
unsigned int old_space = data->count + data->space_left;
unsigned int new_space = old_space + pages;
unsigned int align_space = ALIGN(new_space, 512);
- void *bps = kmalloc(align_space * sizeof(*data->bps), GFP_KERNEL);
+ void *bps = kmalloc_array(align_space, sizeof(*data->bps), GFP_KERNEL);
if (!bps) {
return -ENOMEM;
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index 3d2f8eedeef2..e027798ece03 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -146,7 +146,7 @@ static void amdgpu_dm_plane_add_modifier(uint64_t **mods, uint64_t *size, uint64
if (*cap - *size < 1) {
uint64_t new_cap = *cap * 2;
- uint64_t *new_mods = kmalloc(new_cap * sizeof(uint64_t), GFP_KERNEL);
+ uint64_t *new_mods = kmalloc_array(new_cap, sizeof(uint64_t), GFP_KERNEL);
if (!new_mods) {
kfree(*mods);
@@ -732,7 +732,7 @@ static int amdgpu_dm_plane_get_plane_modifiers(struct amdgpu_device *adev, unsig
if (adev->family < AMDGPU_FAMILY_AI)
return 0;
- *mods = kmalloc(capacity * sizeof(uint64_t), GFP_KERNEL);
+ *mods = kmalloc_array(capacity, sizeof(uint64_t), GFP_KERNEL);
if (plane_type == DRM_PLANE_TYPE_CURSOR) {
amdgpu_dm_plane_add_modifier(mods, &size, &capacity, DRM_FORMAT_MOD_LINEAR);
--
2.34.1Hi Bhanu,
kernel test robot noticed the following build warnings:
[auto build test WARNING on amd-pstate/linux-next]
[also build test WARNING on amd-pstate/bleeding-edge v6.17]
[cannot apply to linus/master next-20251002]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Bhanu-Seshu-Kumar-Valluri/drm-amd-Use-kmalloc_array-to-prevent-overflow-of-dynamic-size-calculation/20251002-102458
base: https://git.kernel.org/pub/scm/linux/kernel/git/superm1/linux.git linux-next
patch link: https://lore.kernel.org/r/20251002022241.77823-1-bhanuseshukumar%40gmail.com
patch subject: [PATCH] drm: amd: Use kmalloc_array to prevent overflow of dynamic size calculation
config: x86_64-randconfig-003-20251003 (https://download.01.org/0day-ci/archive/20251003/202510030646.pqNWfKQ0-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251003/202510030646.pqNWfKQ0-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510030646.pqNWfKQ0-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/linux/percpu.h:5,
from arch/x86/include/asm/msr.h:16,
from arch/x86/include/asm/tsc.h:11,
from arch/x86/include/asm/timex.h:6,
from include/linux/timex.h:67,
from include/linux/time32.h:13,
from include/linux/time.h:60,
from include/linux/stat.h:19,
from include/linux/fs.h:11,
from include/linux/debugfs.h:15,
from drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:24:
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c: In function 'amdgpu_ras_badpages_read':
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: warning: 'kmalloc_array_noprof' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:239:16: note: in definition of macro 'alloc_hooks_tag'
239 | typeof(_do_alloc) _res; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: note: earlier argument should specify number of elements, later size of each element
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:239:16: note: in definition of macro 'alloc_hooks_tag'
239 | typeof(_do_alloc) _res; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: warning: 'kmalloc_array_noprof' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:243:24: note: in definition of macro 'alloc_hooks_tag'
243 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: note: earlier argument should specify number of elements, later size of each element
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:243:24: note: in definition of macro 'alloc_hooks_tag'
243 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: warning: 'kmalloc_array_noprof' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:246:24: note: in definition of macro 'alloc_hooks_tag'
246 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:37: note: earlier argument should specify number of elements, later size of each element
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~
include/linux/alloc_tag.h:246:24: note: in definition of macro 'alloc_hooks_tag'
246 | _res = _do_alloc; \
| ^~~~~~~~~
include/linux/slab.h:950:49: note: in expansion of macro 'alloc_hooks'
950 | #define kmalloc_array(...) alloc_hooks(kmalloc_array_noprof(__VA_ARGS__))
| ^~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:2569:16: note: in expansion of macro 'kmalloc_array'
2569 | *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
| ^~~~~~~~~~~~~
vim +2569 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
2546
2547 /* return 0 on success.
2548 * caller need free bps.
2549 */
2550 static int amdgpu_ras_badpages_read(struct amdgpu_device *adev,
2551 struct ras_badpage **bps, unsigned int *count)
2552 {
2553 struct amdgpu_ras *con = amdgpu_ras_get_context(adev);
2554 struct ras_err_handler_data *data;
2555 int i = 0;
2556 int ret = 0, status;
2557
2558 if (!con || !con->eh_data || !bps || !count)
2559 return -EINVAL;
2560
2561 mutex_lock(&con->recovery_lock);
2562 data = con->eh_data;
2563 if (!data || data->count == 0) {
2564 *bps = NULL;
2565 ret = -EINVAL;
2566 goto out;
2567 }
2568
> 2569 *bps = kmalloc_array(sizeof(struct ras_badpage), data->count, GFP_KERNEL);
2570 if (!*bps) {
2571 ret = -ENOMEM;
2572 goto out;
2573 }
2574
2575 for (; i < data->count; i++) {
2576 (*bps)[i] = (struct ras_badpage){
2577 .bp = data->bps[i].retired_page,
2578 .size = AMDGPU_GPU_PAGE_SIZE,
2579 .flags = AMDGPU_RAS_RETIRE_PAGE_RESERVED,
2580 };
2581 status = amdgpu_vram_mgr_query_page_status(&adev->mman.vram_mgr,
2582 data->bps[i].retired_page << AMDGPU_GPU_PAGE_SHIFT);
2583 if (status == -EBUSY)
2584 (*bps)[i].flags = AMDGPU_RAS_RETIRE_PAGE_PENDING;
2585 else if (status == -ENOENT)
2586 (*bps)[i].flags = AMDGPU_RAS_RETIRE_PAGE_FAULT;
2587 }
2588
2589 *count = data->count;
2590 out:
2591 mutex_unlock(&con->recovery_lock);
2592 return ret;
2593 }
2594
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2025 Red Hat, Inc.