From: sashiko-bot@kernel.org
To: "Adrián Larumbe" <adrian.larumbe@collabora.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 1/2] drm/panthor: Add vm_bind region with kbo range intersection check
Date: Tue, 23 Jun 2026 20:14:32 +0000 [thread overview]
Message-ID: <20260623201433.0BC441F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616-vm_bind_checks-v1-1-956198602ae3@collabora.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Integer overflow in `panthor_vm_is_kernel_address()` bypasses the newly added kernel BO range check.
--
commit 517863d5c6821783c9329a7a6ac1663177dce0ba
Author: Adrián Larumbe <adrian.larumbe@collabora.com>
drm/panthor: Add vm_bind region with kbo range intersection check
This commit adds a check during VM binding to ensure that user-exposed BO
mappings do not intersect with the virtual address space carve-out reserved
for kernel BOs. It introduces panthor_vm_is_kernel_address() to evaluate if
the requested mapping overlaps with the kernel VA range.
> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
> index 31cc57029c12c..5625f3d340318 100644
> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
[ ... ]
> @@ -1309,6 +1318,24 @@ static int panthor_vm_op_ctx_prealloc_pts(struct panthor_vm_op_ctx *op_ctx)
> return 0;
> }
>
> +static bool
> +panthor_vm_is_kernel_address(struct panthor_vm *vm,
> + const struct drm_panthor_vm_bind_op *op)
> +{
> + u32 op_type = op->flags & DRM_PANTHOR_VM_BIND_OP_TYPE_MASK;
> + u64 end, kstart, krange, kend;
> +
> + if (op_type == DRM_PANTHOR_VM_BIND_OP_TYPE_SYNC_ONLY)
> + return false;
> +
> + end = op->va + op->size;
> + kstart = vm->kernel_va.start;
> + krange = vm->kernel_va.range;
> + kend = kstart + krange;
> +
> + return krange && op->va < kend && kstart < end;
[Severity: Medium]
Can this calculation integer overflow?
If a user provides an op->va and op->size that wrap around a 64-bit integer
when added, end becomes a small value.
This would cause the intersection check (kstart < end) to evaluate to false,
bypassing the newly added kernel BO range check.
Should this use an overflow safe check to validate the range before checking
the intersection?
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616-vm_bind_checks-v1-0-956198602ae3@collabora.com?part=1
next prev parent reply other threads:[~2026-06-23 20:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 14:46 [PATCH 0/2] Add vm_bind param check to ensure no overlap with kbo AS carveout Adrián Larumbe
2026-06-16 14:46 ` [PATCH 1/2] drm/panthor: Add vm_bind region with kbo range intersection check Adrián Larumbe
2026-06-17 18:50 ` Boris Brezillon
2026-06-19 2:16 ` Adrián Larumbe
2026-06-23 20:14 ` sashiko-bot [this message]
2026-06-23 23:03 ` Adrián Larumbe
2026-06-16 14:46 ` [PATCH 2/2] drm/panthor: Fix comment to reflect actual struct field name Adrián Larumbe
2026-06-17 18:50 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623201433.0BC441F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=adrian.larumbe@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.