drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO

kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL) at
amdgpu_gem.c:1050 uses the user-supplied num_entries directly without
any upper bounds check. Since num_entries is a __u32 and
sizeof(drm_amdgpu_gem_vm_entry) is 32 bytes, a large num_entries
produces an allocation exceeding INT_MAX, triggering
WARNING in __kvmalloc_node_noprof(), causing a kernel WARNING,
TAINT_WARN, and panic on CONFIG_PANIC_ON_WARN=y systems.

Add a size bounds check before we invoke the kvzalloc() to
reject oversized num_entries early with -EINVAL.

Fixes: 4d82724f7f2b ("drm/amdgpu: Add mapping info option for GEM_OP ioctl")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index aff4912ed95e55a4778c241ce940ae69b0776d47..1120f8225ac020b627ee23790653e9c0b4e1bce7 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -1094,6 +1094,11 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void *data,
                 * If that number is larger than the size of the array, the ioctl must
                 * be retried.
                 */
+               if (args->num_entries > INT_MAX / sizeof(*vm_entries)) {
+                       r = -EINVAL;
+                       goto out_exec;
+               }
+
                vm_entries = kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL);
                if (!vm_entries) {
                        r = -ENOMEM;