@@ -2572,7 +2572,8 @@ static void hl_capture_user_mappings(struct hl_device *hdev, bool is_pmmu)
*/
vfree(pgf_info->user_mappings);
pgf_info->user_mappings =
- vzalloc(pgf_info->num_of_user_mappings * sizeof(struct hl_user_mapping));
+ vzalloc(array_size(pgf_info->num_of_user_mappings,
+ sizeof(struct hl_user_mapping)));
if (!pgf_info->user_mappings) {
pgf_info->num_of_user_mappings = 0;
goto finish;
@@ -272,7 +272,7 @@ static u32 *hl_state_dump_read_sync_objects(struct hl_device *hdev, u32 index)
base_addr = sds->props[SP_SYNC_OBJ_BASE_ADDR] +
sds->props[SP_NEXT_SYNC_OBJ_ADDR] * index;
- sync_objects = vmalloc(sds->props[SP_SYNC_OBJ_AMOUNT] * sizeof(u32));
+ sync_objects = vmalloc(array_size(sds->props[SP_SYNC_OBJ_AMOUNT], sizeof(u32)));
if (!sync_objects)
return NULL;
@@ -453,8 +453,8 @@ hl_state_dump_alloc_read_sm_block_monitors(struct hl_device *hdev, u32 index)
s64 base_addr; /* Base addr can be negative */
int i;
- monitors = vmalloc(sds->props[SP_MONITORS_AMOUNT] *
- sizeof(struct hl_mon_state_dump));
+ monitors = vmalloc(array_size(sds->props[SP_MONITORS_AMOUNT],
+ sizeof(struct hl_mon_state_dump)));
if (!monitors)
return NULL;
Use array_size to protect against multiplication overflows. The changes were done using the following Coccinelle semantic patch: // <smpl> @@ expression E1, E2; constant C1, C2; identifier alloc = {vmalloc,vzalloc}; @@ ( alloc(C1 * C2,...) | alloc( - (E1) * (E2) + array_size(E1, E2) ,...) ) // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr> --- drivers/accel/habanalabs/common/device.c | 3 ++- drivers/accel/habanalabs/common/state_dump.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-)