* [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
@ 2023-05-23 22:53 ` Chia-I Wu
0 siblings, 0 replies; 6+ messages in thread
From: Chia-I Wu @ 2023-05-23 22:53 UTC (permalink / raw)
To: dri-devel
Cc: Alex Deucher, Christian König, Pan, Xinhui, David Airlie,
Daniel Vetter, Felix Kuehling, Andrew Morton,
Marek Olšák, Yang Li, Kefeng Wang, Suren Baghdasaryan,
Philip Yang, Luben Tuikov, Mukul Joshi, Danijel Slivka,
Jammy Zhou, amd-gfx, linux-kernel
Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
amdgpu_vm_bo_replace_map no longer needs to validate (and its
validations were insufficient either). amdgpu_vm_bo_map has internal
users and its validations are kept.
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
Userspace (radeonsi and radv) seems fine as well.
v2: keep the validations in amdgpu_vm_bo_map
Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index d8e683688daab..36d5adfdf0f69 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
uint64_t vm_size;
int r = 0;
+ if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
+ args->map_size & ~PAGE_MASK) {
+ dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
+ args->va_address, args->offset_in_bo, args->map_size);
+ return -EINVAL;
+ }
+
+ if (args->map_size == 0 ||
+ args->va_address + args->map_size < args->va_address ||
+ args->offset_in_bo + args->map_size < args->offset_in_bo) {
+ dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
+ args->map_size, args->va_address, args->offset_in_bo);
+ return -EINVAL;
+ }
+
if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
dev_dbg(dev->dev,
"va_address 0x%LX is in reserved area 0x%LX\n",
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index b9441ab457ea7..6307baaa136cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
- size == 0 || size & ~PAGE_MASK)
- return -EINVAL;
-
/* make sure object fit at this offset */
eaddr = saddr + size - 1;
- if (saddr >= eaddr ||
- (bo && offset + size > amdgpu_bo_size(bo)) ||
+ if ((bo && offset + size > amdgpu_bo_size(bo)) ||
(eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
return -EINVAL;
--
2.40.1.698.g37aff9b760-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
@ 2023-05-23 22:53 ` Chia-I Wu
0 siblings, 0 replies; 6+ messages in thread
From: Chia-I Wu @ 2023-05-23 22:53 UTC (permalink / raw)
To: dri-devel
Cc: Philip Yang, Kefeng Wang, Jammy Zhou, Mukul Joshi,
Suren Baghdasaryan, Felix Kuehling, Pan, Xinhui, linux-kernel,
amd-gfx, Marek Olšák, Luben Tuikov, Yang Li,
Danijel Slivka, Alex Deucher, Andrew Morton,
Christian König
Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
amdgpu_vm_bo_replace_map no longer needs to validate (and its
validations were insufficient either). amdgpu_vm_bo_map has internal
users and its validations are kept.
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
Userspace (radeonsi and radv) seems fine as well.
v2: keep the validations in amdgpu_vm_bo_map
Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index d8e683688daab..36d5adfdf0f69 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
uint64_t vm_size;
int r = 0;
+ if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
+ args->map_size & ~PAGE_MASK) {
+ dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
+ args->va_address, args->offset_in_bo, args->map_size);
+ return -EINVAL;
+ }
+
+ if (args->map_size == 0 ||
+ args->va_address + args->map_size < args->va_address ||
+ args->offset_in_bo + args->map_size < args->offset_in_bo) {
+ dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
+ args->map_size, args->va_address, args->offset_in_bo);
+ return -EINVAL;
+ }
+
if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
dev_dbg(dev->dev,
"va_address 0x%LX is in reserved area 0x%LX\n",
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index b9441ab457ea7..6307baaa136cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
- size == 0 || size & ~PAGE_MASK)
- return -EINVAL;
-
/* make sure object fit at this offset */
eaddr = saddr + size - 1;
- if (saddr >= eaddr ||
- (bo && offset + size > amdgpu_bo_size(bo)) ||
+ if ((bo && offset + size > amdgpu_bo_size(bo)) ||
(eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
return -EINVAL;
--
2.40.1.698.g37aff9b760-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
@ 2023-05-23 22:53 ` Chia-I Wu
0 siblings, 0 replies; 6+ messages in thread
From: Chia-I Wu @ 2023-05-23 22:53 UTC (permalink / raw)
To: dri-devel
Cc: Philip Yang, Kefeng Wang, Jammy Zhou, Mukul Joshi,
Suren Baghdasaryan, Felix Kuehling, Pan, Xinhui, linux-kernel,
amd-gfx, Marek Olšák, Luben Tuikov, Yang Li,
Danijel Slivka, Daniel Vetter, Alex Deucher, Andrew Morton,
David Airlie, Christian König
Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
amdgpu_vm_bo_replace_map no longer needs to validate (and its
validations were insufficient either). amdgpu_vm_bo_map has internal
users and its validations are kept.
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
Userspace (radeonsi and radv) seems fine as well.
v2: keep the validations in amdgpu_vm_bo_map
Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index d8e683688daab..36d5adfdf0f69 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
uint64_t vm_size;
int r = 0;
+ if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
+ args->map_size & ~PAGE_MASK) {
+ dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
+ args->va_address, args->offset_in_bo, args->map_size);
+ return -EINVAL;
+ }
+
+ if (args->map_size == 0 ||
+ args->va_address + args->map_size < args->va_address ||
+ args->offset_in_bo + args->map_size < args->offset_in_bo) {
+ dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
+ args->map_size, args->va_address, args->offset_in_bo);
+ return -EINVAL;
+ }
+
if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
dev_dbg(dev->dev,
"va_address 0x%LX is in reserved area 0x%LX\n",
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index b9441ab457ea7..6307baaa136cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
- size == 0 || size & ~PAGE_MASK)
- return -EINVAL;
-
/* make sure object fit at this offset */
eaddr = saddr + size - 1;
- if (saddr >= eaddr ||
- (bo && offset + size > amdgpu_bo_size(bo)) ||
+ if ((bo && offset + size > amdgpu_bo_size(bo)) ||
(eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
return -EINVAL;
--
2.40.1.698.g37aff9b760-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
2023-05-23 22:53 ` Chia-I Wu
(?)
@ 2023-05-24 18:27 ` Christian König
-1 siblings, 0 replies; 6+ messages in thread
From: Christian König @ 2023-05-24 18:27 UTC (permalink / raw)
To: Chia-I Wu, dri-devel
Cc: Alex Deucher, Pan, Xinhui, David Airlie, Daniel Vetter,
Felix Kuehling, Andrew Morton, Marek Olšák, Yang Li,
Kefeng Wang, Suren Baghdasaryan, Philip Yang, Luben Tuikov,
Mukul Joshi, Danijel Slivka, Jammy Zhou, amd-gfx, linux-kernel
Am 24.05.23 um 00:53 schrieb Chia-I Wu:
> Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
> amdgpu_vm_bo_replace_map no longer needs to validate (and its
> validations were insufficient either). amdgpu_vm_bo_map has internal
> users and its validations are kept.
No, please keep all validation inside amdgpu_vm.c code.
See the offset is unused or might have a different meaning for some use
cases, so validating it here is actually not correct.
Christian.
>
> This is motivated by OOB access in amdgpu_vm_update_range when
> offset_in_bo+map_size overflows.
>
> Userspace (radeonsi and radv) seems fine as well.
>
> v2: keep the validations in amdgpu_vm_bo_map
>
> Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
> Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
> drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
> 2 files changed, 16 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index d8e683688daab..36d5adfdf0f69 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
> uint64_t vm_size;
> int r = 0;
>
> + if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
> + args->map_size & ~PAGE_MASK) {
> + dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
> + args->va_address, args->offset_in_bo, args->map_size);
> + return -EINVAL;
> + }
> +
> + if (args->map_size == 0 ||
> + args->va_address + args->map_size < args->va_address ||
> + args->offset_in_bo + args->map_size < args->offset_in_bo) {
> + dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
> + args->map_size, args->va_address, args->offset_in_bo);
> + return -EINVAL;
> + }
> +
> if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
> dev_dbg(dev->dev,
> "va_address 0x%LX is in reserved area 0x%LX\n",
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> index b9441ab457ea7..6307baaa136cf 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> @@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
> uint64_t eaddr;
> int r;
>
> - /* validate the parameters */
> - if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
> - size == 0 || size & ~PAGE_MASK)
> - return -EINVAL;
> -
> /* make sure object fit at this offset */
> eaddr = saddr + size - 1;
> - if (saddr >= eaddr ||
> - (bo && offset + size > amdgpu_bo_size(bo)) ||
> + if ((bo && offset + size > amdgpu_bo_size(bo)) ||
> (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
> return -EINVAL;
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
@ 2023-05-24 18:27 ` Christian König
0 siblings, 0 replies; 6+ messages in thread
From: Christian König @ 2023-05-24 18:27 UTC (permalink / raw)
To: Chia-I Wu, dri-devel
Cc: Philip Yang, Kefeng Wang, Jammy Zhou, Mukul Joshi,
Suren Baghdasaryan, Felix Kuehling, Pan, Xinhui, linux-kernel,
amd-gfx, Luben Tuikov, Yang Li, Danijel Slivka, Alex Deucher,
Andrew Morton, Marek Olšák
Am 24.05.23 um 00:53 schrieb Chia-I Wu:
> Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
> amdgpu_vm_bo_replace_map no longer needs to validate (and its
> validations were insufficient either). amdgpu_vm_bo_map has internal
> users and its validations are kept.
No, please keep all validation inside amdgpu_vm.c code.
See the offset is unused or might have a different meaning for some use
cases, so validating it here is actually not correct.
Christian.
>
> This is motivated by OOB access in amdgpu_vm_update_range when
> offset_in_bo+map_size overflows.
>
> Userspace (radeonsi and radv) seems fine as well.
>
> v2: keep the validations in amdgpu_vm_bo_map
>
> Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
> Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
> drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
> 2 files changed, 16 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index d8e683688daab..36d5adfdf0f69 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
> uint64_t vm_size;
> int r = 0;
>
> + if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
> + args->map_size & ~PAGE_MASK) {
> + dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
> + args->va_address, args->offset_in_bo, args->map_size);
> + return -EINVAL;
> + }
> +
> + if (args->map_size == 0 ||
> + args->va_address + args->map_size < args->va_address ||
> + args->offset_in_bo + args->map_size < args->offset_in_bo) {
> + dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
> + args->map_size, args->va_address, args->offset_in_bo);
> + return -EINVAL;
> + }
> +
> if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
> dev_dbg(dev->dev,
> "va_address 0x%LX is in reserved area 0x%LX\n",
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> index b9441ab457ea7..6307baaa136cf 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> @@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
> uint64_t eaddr;
> int r;
>
> - /* validate the parameters */
> - if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
> - size == 0 || size & ~PAGE_MASK)
> - return -EINVAL;
> -
> /* make sure object fit at this offset */
> eaddr = saddr + size - 1;
> - if (saddr >= eaddr ||
> - (bo && offset + size > amdgpu_bo_size(bo)) ||
> + if ((bo && offset + size > amdgpu_bo_size(bo)) ||
> (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
> return -EINVAL;
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
@ 2023-05-24 18:27 ` Christian König
0 siblings, 0 replies; 6+ messages in thread
From: Christian König @ 2023-05-24 18:27 UTC (permalink / raw)
To: Chia-I Wu, dri-devel
Cc: Philip Yang, Kefeng Wang, Jammy Zhou, Mukul Joshi,
Suren Baghdasaryan, Felix Kuehling, Pan, Xinhui, linux-kernel,
amd-gfx, Luben Tuikov, Yang Li, Danijel Slivka, Daniel Vetter,
Alex Deucher, Andrew Morton, David Airlie, Marek Olšák
Am 24.05.23 um 00:53 schrieb Chia-I Wu:
> Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
> amdgpu_vm_bo_replace_map no longer needs to validate (and its
> validations were insufficient either). amdgpu_vm_bo_map has internal
> users and its validations are kept.
No, please keep all validation inside amdgpu_vm.c code.
See the offset is unused or might have a different meaning for some use
cases, so validating it here is actually not correct.
Christian.
>
> This is motivated by OOB access in amdgpu_vm_update_range when
> offset_in_bo+map_size overflows.
>
> Userspace (radeonsi and radv) seems fine as well.
>
> v2: keep the validations in amdgpu_vm_bo_map
>
> Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
> Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
> drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
> 2 files changed, 16 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index d8e683688daab..36d5adfdf0f69 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
> uint64_t vm_size;
> int r = 0;
>
> + if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
> + args->map_size & ~PAGE_MASK) {
> + dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
> + args->va_address, args->offset_in_bo, args->map_size);
> + return -EINVAL;
> + }
> +
> + if (args->map_size == 0 ||
> + args->va_address + args->map_size < args->va_address ||
> + args->offset_in_bo + args->map_size < args->offset_in_bo) {
> + dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
> + args->map_size, args->va_address, args->offset_in_bo);
> + return -EINVAL;
> + }
> +
> if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
> dev_dbg(dev->dev,
> "va_address 0x%LX is in reserved area 0x%LX\n",
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> index b9441ab457ea7..6307baaa136cf 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> @@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
> uint64_t eaddr;
> int r;
>
> - /* validate the parameters */
> - if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
> - size == 0 || size & ~PAGE_MASK)
> - return -EINVAL;
> -
> /* make sure object fit at this offset */
> eaddr = saddr + size - 1;
> - if (saddr >= eaddr ||
> - (bo && offset + size > amdgpu_bo_size(bo)) ||
> + if ((bo && offset + size > amdgpu_bo_size(bo)) ||
> (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
> return -EINVAL;
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-05-24 18:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-23 22:53 [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs Chia-I Wu
2023-05-23 22:53 ` Chia-I Wu
2023-05-23 22:53 ` Chia-I Wu
2023-05-24 18:27 ` Christian König
2023-05-24 18:27 ` Christian König
2023-05-24 18:27 ` Christian König
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.