]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: adf6703)
drm/amd/display: Use krealloc_array() in dal_vector_reserve()
authorHarry Wentland <harry.wentland@amd.com>
Tue, 5 May 2026 15:52:15 +0000 (11:52 -0400)
committerAlex Deucher <alexander.deucher@amd.com>
Wed, 3 Jun 2026 18:44:36 +0000 (14:44 -0400)
[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.

Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.

Fixes: 2004f45ef83f ("drm/amd/display: Use kernel alloc/free")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Cc: stable@vger.kernel.org
drivers/gpu/drm/amd/display/dc/basics/vector.c patch | blob | blame | history

diff --git a/drivers/gpu/drm/amd/display/dc/basics/vector.c b/drivers/gpu/drm/amd/display/dc/basics/vector.c
index e8736c134b8d27bd34e049bf1479bca1b48cc0b0..60bd9ead928a1c0e88c03c72bbbbe6b1fde5c663 100644 (file)
--- a/drivers/gpu/drm/amd/display/dc/basics/vector.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/vector.c
@@ -289,8 +289,8 @@ bool dal_vector_reserve(struct vector *vector, uint32_t capacity)
        if (capacity <= vector->capacity)
                return true;
 
-       new_container = krealloc(vector->container,
-                                capacity * vector->struct_size, GFP_KERNEL);
+       new_container = krealloc_array(vector->container,
+                                      capacity, vector->struct_size, GFP_KERNEL);
 
        if (new_container) {
                vector->container = new_container;
A mirror of Linus' kernel repository