From nobody Sun May 24 19:33:20 2026 Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 400093A6EE7 for ; Sat, 23 May 2026 14:27:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779546440; cv=none; b=gbTS1uQx9c4hEkNkwSxWfzu8jdRV6iGfJOosy/OpndweX/k2wpzRENwzhWvwz/cWeyLCL4RT32N754+wLxXnX6SOP0jtb71uJh3cAIiHr/e0HYavPH58pTZfVzlSTz/Qu29lJYunlYSBnJHXCe6DHZp/wsYcEQQ7/OOuLCmowgk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779546440; c=relaxed/simple; bh=D3qIhb6eGYYsATz1C0SUhXejwGUftqdytivMY0DlgC8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CKmSa/laTHRtS2/t86TNhbBozB73bPG6GaGMJQCW6WSoPCb0NFbRYHprbCVUdPVkrpusI5VdD0AeYim1l3n4KTR3Wq+Tl3Zosnvnt9QJa1MqfxUSPDc6ZP5CrqfT2xMbp8FfYQakCzcj554MWiJMQvjAvwskbCSniS9lA+Vwioc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dmx0isqK; arc=none smtp.client-ip=209.85.215.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dmx0isqK" Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-c6dd5b01e14so3838375a12.0 for ; Sat, 23 May 2026 07:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779546438; x=1780151238; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=mzFTxVPO2bV5wPss4Z0njUQ82fwBRkchQ0evEohJCFc=; b=dmx0isqKpIqFEcwpAURxxuhUlQKjV9SNy3fNevKsNJNcBvZdBIlxBd6RjD+nfvSulQ MOvYraLZ9AzPV4eQ50so+cmLsA6xB7HX+IxWbaGZ+OYux5+FdwOsd8DUuNARRKGNbnW0 elc4DN360xDHrNIh6HeoGHEzh87dj6Z3hyOy1VV814ehomZ7tf11HqHg+FDsWcHkpHpp X10B1x7ePwzrjm4LiyvNvH+5rN/wE6+dSOt3vO3/PbHP4iBPFDpWgNbzanig/K9ceAar XidkHISUzAFkoHzB/ojPuaozGFrYCXiuv8xJpGRCA0hR60Flel3aMLGwJuBLoHsjtBjR VSgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779546438; x=1780151238; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mzFTxVPO2bV5wPss4Z0njUQ82fwBRkchQ0evEohJCFc=; b=mvHd9vkgdzlEotdEoBl3IuQcE2dM/It+L2PKnNCQ6sYc/JsPASdJn+p6Dp2gO9fG8u 6hqFrpVyHxv33RDhG8SCd1vs8iH5iiIB2y/KqnaetM6j8gWSEz3lAsOKImXQTIVn6Gh2 JtEU9QeHPgS4n8eoAZ6sOUEiE8gugqM70PkzL7VEWeqj1F8PBmtnDMLlVu+8RkE6i41I M7u5Sr/WWiPjRqlcFoLBf4FqG1fjf7f3H1ZYgqtesD0Do70EhqZ+Un/30qxvhpUZP4LV E9ICGUgosCVTudXCFhRhRv8PEHtZSvZcwzql0mjTLe+GBc4nTXS48tibl7iFxMUpz+TK edrg== X-Forwarded-Encrypted: i=1; AFNElJ8FNDw5lxr5ByT1U6fHGb7zHNphqzZwzE3+hAqVAMfSjgIATukaHbuOQDKrsiu72lMKhC/R296vazLBDR0=@vger.kernel.org X-Gm-Message-State: AOJu0YzCaCatJLmFJt6KSQXwaKegAs+jq4o26a2G3+9pd8YvZ68NBpSB hVSTIf+Yu5EHIe3Fq6BYGYdgmuQcg4d1Ly1dEEpfLFwMB/J1Iudgmkol X-Gm-Gg: Acq92OGg/84oH0NwgP+iKK85u8qz6IFFGjkWWAW0wrcvmfezd33II18OO5kmULUE78w Tgg56vr+QOd1btE1XCtQgH8FEplF8ENlCKgWe4KQqNpBZyaLYLxZI4WzCpZ7+oDuknnp3DRQVba npbw3kGdDIJ798obn1YA521qshi+i5Si95+vQxvd83Gz+7F6S3zvPUP0EeDgTg1rHrYVR2xuntu YuX9JufaBbvDpZhIwke/MUvv9pLGyt/JU0TYGvKtp6xQNVeYvVbc4uua2tz4ApcEZ4lgO4pV4qv 5LnbwvqoH0soDLeXvRdzNV5nLrl5sgYXdBdck9BH5ui06ciMp9Yhyj1o7VYimFKIvpjGT07rCYb QMDpqkVDf6xsR1QqkmFIvFBJru+8QlWwp9PRWrY0nfCVV6uk8I9dzA2NGgQxeChbfdSYqVKttwp xyswQ6RUaDB9po+kwtmf3rWcTwqeUeqp9puYLnEOsRrE0QtrLDd6uNgRm6RXqerADA5xe2GcgVp +bGsPNvaRfOd4m2cBc1wRFV9L/wqYTple/52Lxi0YL9U5nMdePjj1lkCWNhZ43e0DFGXDXhm+2U 9rx9fUI1v93C9lqmbfiy03eN5g== X-Received: by 2002:a05:6a21:32a0:b0:3b3:216b:274c with SMTP id adf61e73a8af0-3b328cc44f3mr8711006637.22.1779546438447; Sat, 23 May 2026 07:27:18 -0700 (PDT) Received: from codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net ([4.240.39.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164afe2dasm4875597b3a.19.2026.05.23.07.27.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 May 2026 07:27:18 -0700 (PDT) From: Muhammad Bilal To: Felix.Kuehling@amd.com Cc: alexander.deucher@amd.com, christian.koenig@amd.com, airlied@gmail.com, simona@ffwll.ch, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH] drm/amdkfd: fix integer overflow in get_queue_ids() Date: Sat, 23 May 2026 14:26:45 +0000 Message-ID: <20260523142645.39102-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" get_queue_ids() computes the allocation size as: size_t array_size =3D num_queues * sizeof(uint32_t); num_queues is a user-controlled u32 copied directly from the ioctl argument (args.suspend_queues.num_queues or args.resume_queues.num_queues) via kfd_ioctl_set_debug_trap() with no prior validation or clamping. On 32-bit kernels, size_t is 32 bits wide. A caller supplying num_queues =3D 0x40000001 causes the multiplication to silently wrap: 0x40000001 * 4 =3D 0x100000004 -> truncated to 0x4 memdup_user() then allocates only 4 bytes. q_array_invalidate() is called immediately after with the original num_queues value and iterates 0x40000001 times writing KFD_DBG_QUEUE_INVALID_MASK into the 4-byte buffer, producing an unbounded heap buffer overflow. q_array_get_index() in both callers walks the same buffer using the same unchecked count. Both call sites are affected: - suspend_queues() calls get_queue_ids() unconditionally - resume_queues() calls it only when usr_queue_id_array is non-NULL Both callers already propagate IS_ERR() returns to userspace, so returning ERR_PTR(-EINVAL) on overflow requires no new error handling. The copy_to_user() calls at the tail of both functions also compute num_queues * sizeof(uint32_t), but are only reachable after a successful get_queue_ids() return, so they are safe once the allocation is correctly bounded. Fix by replacing the unchecked multiplication with check_mul_overflow(). Cast num_queues to size_t so all three arguments match the destination type, avoiding implicit type mismatch on compilers that implement the macro with typeof() rather than __builtin_mul_overflow() directly. Add an explicit #include rather than relying on the transitive pull through linux/slab.h. Fixes: a70a93fa568b ("drm/amdkfd: add debug suspend and resume process queu= es operation") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/driver= s/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c index e0a31e11f0ff..c08ad718dbd7 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -3308,11 +3309,14 @@ static void copy_context_work_handler(struct work_s= truct *work) =20 static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t *usr_queue_id= _array) { - size_t array_size =3D num_queues * sizeof(uint32_t); + size_t array_size; =20 if (!usr_queue_id_array) return NULL; =20 + if (check_mul_overflow((size_t)num_queues, sizeof(uint32_t), &array_size)) + return ERR_PTR(-EINVAL); + return memdup_user(usr_queue_id_array, array_size); } =20 --=20 2.53.0