[PATCH v1] drm/xe: use krealloc_array to prevent integer overflow

Next message: Sumit Garg: "Re: [GIT PULL] TEE shared memory fix for 7.0"
Previous message: Pengpeng Hou: "[PATCH] Bluetooth: btintel_pcie: validate RX buffer tags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Baoli.Zhang

Date: Mon Mar 23 2026 - 08:18:56 EST

Replace the use of krealloc() with krealloc_array() in xe driver to
mitigate the risk of integer overflow during memory allocation size
calculation.

Signed-off-by: Baoli.Zhang <baoli.zhang@xxxxxxxxxxxxxxx>
Signed-off-by: Junxiao.Chang <junxiao.chang@xxxxxxxxx>
---
drivers/gpu/drm/xe/xe_configfs.c | 2 +-
drivers/gpu/drm/xe/xe_vm_madvise.c | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/xe/xe_configfs.c b/drivers/gpu/drm/xe/xe_configfs.c
index 7fd07d1280bb1..4cf903c904ba0 100644
--- a/drivers/gpu/drm/xe/xe_configfs.c
+++ b/drivers/gpu/drm/xe/xe_configfs.c
@@ -766,7 +766,7 @@ static ssize_t wa_bb_store(struct wa_bb wa_bb[static XE_ENGINE_CLASS_MAX],
* 2. Allocate a u32 array and set the pointers to the right positions
* according to the length of each class' wa_bb
*/
- tmp = krealloc(wa_bb[0].cs, count * sizeof(u32), GFP_KERNEL);
+ tmp = krealloc_array(wa_bb[0].cs, count, sizeof(u32), GFP_KERNEL);
if (!tmp)
return -ENOMEM;

diff --git a/drivers/gpu/drm/xe/xe_vm_madvise.c b/drivers/gpu/drm/xe/xe_vm_madvise.c
index bc39a9a9790c3..82afe4bef0725 100644
--- a/drivers/gpu/drm/xe/xe_vm_madvise.c
+++ b/drivers/gpu/drm/xe/xe_vm_madvise.c
@@ -63,8 +63,9 @@ static int get_vmas(struct xe_vm *vm, struct xe_vmas_in_madvise_range *madvise_r

if (madvise_range->num_vmas == max_vmas) {
max_vmas <<= 1;
- __vmas = krealloc(madvise_range->vmas,
- max_vmas * sizeof(*madvise_range->vmas),
+ __vmas = krealloc_array(madvise_range->vmas,
+ max_vmas,
+ sizeof(*madvise_range->vmas),
GFP_KERNEL);
if (!__vmas) {
kfree(madvise_range->vmas);
--
2.43.0