From 233b85f5b4befa1f5dcce99d6a47bb38e1d3c7db Mon Sep 17 00:00:00 2001 From: jsg Date: Wed, 10 Jun 2026 00:21:35 +0000 Subject: [PATCH] drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO From Ziyi Guo f059b4c493df3e54fe3ffe4658009c31864275da in linux-6.18.y/6.18.35 a1ba4594232c87c3b8defd6f89a2e40f8b08395d in mainline linux --- sys/dev/pci/drm/amd/amdgpu/amdgpu_gem.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_gem.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_gem.c index 206ba636efb..928a224b065 100644 --- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_gem.c +++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_gem.c @@ -1194,6 +1194,11 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void *data, * If that number is larger than the size of the array, the ioctl must * be retried. */ + if (args->num_entries > INT_MAX / sizeof(*vm_entries)) { + r = -EINVAL; + goto out_exec; + } + vm_entries = kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL); if (!vm_entries) { r = -ENOMEM;