From: Chia-I Wu <olvaffe@gmail.com>
To: dri-devel@lists.freedesktop.org
Cc: "Philip Yang" <Philip.Yang@amd.com>,
"Kefeng Wang" <wangkefeng.wang@huawei.com>,
"Jammy Zhou" <Jammy.Zhou@amd.com>,
"Mukul Joshi" <mukul.joshi@amd.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org,
"Marek Olšák" <marek.olsak@amd.com>,
"Luben Tuikov" <luben.tuikov@amd.com>,
"Yang Li" <yang.lee@linux.alibaba.com>,
"Danijel Slivka" <danijel.slivka@amd.com>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"David Airlie" <airlied@gmail.com>,
"Christian König" <christian.koenig@amd.com>
Subject: [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
Date: Tue, 23 May 2023 15:53:23 -0700 [thread overview]
Message-ID: <20230523225336.2642008-1-olvaffe@gmail.com> (raw)
Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
amdgpu_vm_bo_replace_map no longer needs to validate (and its
validations were insufficient either). amdgpu_vm_bo_map has internal
users and its validations are kept.
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
Userspace (radeonsi and radv) seems fine as well.
v2: keep the validations in amdgpu_vm_bo_map
Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index d8e683688daab..36d5adfdf0f69 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
uint64_t vm_size;
int r = 0;
+ if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
+ args->map_size & ~PAGE_MASK) {
+ dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
+ args->va_address, args->offset_in_bo, args->map_size);
+ return -EINVAL;
+ }
+
+ if (args->map_size == 0 ||
+ args->va_address + args->map_size < args->va_address ||
+ args->offset_in_bo + args->map_size < args->offset_in_bo) {
+ dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
+ args->map_size, args->va_address, args->offset_in_bo);
+ return -EINVAL;
+ }
+
if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
dev_dbg(dev->dev,
"va_address 0x%LX is in reserved area 0x%LX\n",
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index b9441ab457ea7..6307baaa136cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
- size == 0 || size & ~PAGE_MASK)
- return -EINVAL;
-
/* make sure object fit at this offset */
eaddr = saddr + size - 1;
- if (saddr >= eaddr ||
- (bo && offset + size > amdgpu_bo_size(bo)) ||
+ if ((bo && offset + size > amdgpu_bo_size(bo)) ||
(eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
return -EINVAL;
--
2.40.1.698.g37aff9b760-goog
WARNING: multiple messages have this Message-ID (diff)
From: Chia-I Wu <olvaffe@gmail.com>
To: dri-devel@lists.freedesktop.org
Cc: "Philip Yang" <Philip.Yang@amd.com>,
"Kefeng Wang" <wangkefeng.wang@huawei.com>,
"Jammy Zhou" <Jammy.Zhou@amd.com>,
"Mukul Joshi" <mukul.joshi@amd.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org,
"Marek Olšák" <marek.olsak@amd.com>,
"Luben Tuikov" <luben.tuikov@amd.com>,
"Yang Li" <yang.lee@linux.alibaba.com>,
"Danijel Slivka" <danijel.slivka@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Christian König" <christian.koenig@amd.com>
Subject: [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
Date: Tue, 23 May 2023 15:53:23 -0700 [thread overview]
Message-ID: <20230523225336.2642008-1-olvaffe@gmail.com> (raw)
Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
amdgpu_vm_bo_replace_map no longer needs to validate (and its
validations were insufficient either). amdgpu_vm_bo_map has internal
users and its validations are kept.
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
Userspace (radeonsi and radv) seems fine as well.
v2: keep the validations in amdgpu_vm_bo_map
Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index d8e683688daab..36d5adfdf0f69 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
uint64_t vm_size;
int r = 0;
+ if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
+ args->map_size & ~PAGE_MASK) {
+ dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
+ args->va_address, args->offset_in_bo, args->map_size);
+ return -EINVAL;
+ }
+
+ if (args->map_size == 0 ||
+ args->va_address + args->map_size < args->va_address ||
+ args->offset_in_bo + args->map_size < args->offset_in_bo) {
+ dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
+ args->map_size, args->va_address, args->offset_in_bo);
+ return -EINVAL;
+ }
+
if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
dev_dbg(dev->dev,
"va_address 0x%LX is in reserved area 0x%LX\n",
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index b9441ab457ea7..6307baaa136cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
- size == 0 || size & ~PAGE_MASK)
- return -EINVAL;
-
/* make sure object fit at this offset */
eaddr = saddr + size - 1;
- if (saddr >= eaddr ||
- (bo && offset + size > amdgpu_bo_size(bo)) ||
+ if ((bo && offset + size > amdgpu_bo_size(bo)) ||
(eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
return -EINVAL;
--
2.40.1.698.g37aff9b760-goog
WARNING: multiple messages have this Message-ID (diff)
From: Chia-I Wu <olvaffe@gmail.com>
To: dri-devel@lists.freedesktop.org
Cc: "Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
"David Airlie" <airlied@gmail.com>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Marek Olšák" <marek.olsak@amd.com>,
"Yang Li" <yang.lee@linux.alibaba.com>,
"Kefeng Wang" <wangkefeng.wang@huawei.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Philip Yang" <Philip.Yang@amd.com>,
"Luben Tuikov" <luben.tuikov@amd.com>,
"Mukul Joshi" <mukul.joshi@amd.com>,
"Danijel Slivka" <danijel.slivka@amd.com>,
"Jammy Zhou" <Jammy.Zhou@amd.com>,
amd-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs
Date: Tue, 23 May 2023 15:53:23 -0700 [thread overview]
Message-ID: <20230523225336.2642008-1-olvaffe@gmail.com> (raw)
Validate drm_amdgpu_gem_va addrs in amdgpu_gem_va_ioctl.
amdgpu_vm_bo_replace_map no longer needs to validate (and its
validations were insufficient either). amdgpu_vm_bo_map has internal
users and its validations are kept.
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
Userspace (radeonsi and radv) seems fine as well.
v2: keep the validations in amdgpu_vm_bo_map
Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters")
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 15 +++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 +-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index d8e683688daab..36d5adfdf0f69 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -681,6 +681,21 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
uint64_t vm_size;
int r = 0;
+ if (args->va_address & ~PAGE_MASK || args->offset_in_bo & ~PAGE_MASK ||
+ args->map_size & ~PAGE_MASK) {
+ dev_dbg(dev->dev, "unaligned va_address 0x%LX, offset_in_bo 0x%LX, or map_size 0x%LX\n",
+ args->va_address, args->offset_in_bo, args->map_size);
+ return -EINVAL;
+ }
+
+ if (args->map_size == 0 ||
+ args->va_address + args->map_size < args->va_address ||
+ args->offset_in_bo + args->map_size < args->offset_in_bo) {
+ dev_dbg(dev->dev, "invalid map_size 0x%LX (va_address 0x%LX, offset_in_bo 0x%LX)\n",
+ args->map_size, args->va_address, args->offset_in_bo);
+ return -EINVAL;
+ }
+
if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
dev_dbg(dev->dev,
"va_address 0x%LX is in reserved area 0x%LX\n",
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index b9441ab457ea7..6307baaa136cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1501,15 +1501,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK ||
- size == 0 || size & ~PAGE_MASK)
- return -EINVAL;
-
/* make sure object fit at this offset */
eaddr = saddr + size - 1;
- if (saddr >= eaddr ||
- (bo && offset + size > amdgpu_bo_size(bo)) ||
+ if ((bo && offset + size > amdgpu_bo_size(bo)) ||
(eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
return -EINVAL;
--
2.40.1.698.g37aff9b760-goog
next reply other threads:[~2023-05-23 22:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-23 22:53 Chia-I Wu [this message]
2023-05-23 22:53 ` [PATCH v2] amdgpu: validate drm_amdgpu_gem_va addrs Chia-I Wu
2023-05-23 22:53 ` Chia-I Wu
2023-05-24 18:27 ` Christian König
2023-05-24 18:27 ` Christian König
2023-05-24 18:27 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230523225336.2642008-1-olvaffe@gmail.com \
--to=olvaffe@gmail.com \
--cc=Felix.Kuehling@amd.com \
--cc=Jammy.Zhou@amd.com \
--cc=Philip.Yang@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=danijel.slivka@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luben.tuikov@amd.com \
--cc=marek.olsak@amd.com \
--cc=mukul.joshi@amd.com \
--cc=surenb@google.com \
--cc=wangkefeng.wang@huawei.com \
--cc=yang.lee@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.