drm/amdkfd: Integer overflows in ioctl

args->n_devices is a u32 that comes from the user.  The multiplication
could overflow on 32 bit systems possibly leading to privilege
escalation.

Fixes: 5ec7e02854b3 ("drm/amdkfd: Add ioctls for GPUVM memory management")
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 5694fbe..ce15baf 100644 (file)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -1303,8 +1303,8 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
                return -EINVAL;
        }
 
-       devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
-                             GFP_KERNEL);
+       devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
+                                   GFP_KERNEL);
        if (!devices_arr)
                return -ENOMEM;
 
@@ -1412,8 +1412,8 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
                return -EINVAL;
        }
 
-       devices_arr = kmalloc(args->n_devices * sizeof(*devices_arr),
-                             GFP_KERNEL);
+       devices_arr = kmalloc_array(args->n_devices, sizeof(*devices_arr),
+                                   GFP_KERNEL);
        if (!devices_arr)
                return -ENOMEM;