From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, "Vlad Stolyarov" <hexed@google.com>,
"Christian König" <christian.koenig@amd.com>,
"xinhui pan" <xinhui.pan@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>
Subject: [PATCH 5.15 64/71] drm/amdgpu: validate the parameters of bo mapping operations more clearly
Date: Tue, 23 Apr 2024 14:40:17 -0700 [thread overview]
Message-ID: <20240423213846.402979155@linuxfoundation.org> (raw)
In-Reply-To: <20240423213844.122920086@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: xinhui pan <xinhui.pan@amd.com>
commit 6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75 upstream.
Verify the parameters of
amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.
Fixes: dc54d3d1744d ("drm/amdgpu: implement AMDGPU_VA_OP_CLEAR v2")
Cc: stable@vger.kernel.org
Reported-by: Vlad Stolyarov <hexed@google.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Signed-off-by: xinhui pan <xinhui.pan@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 72 +++++++++++++++++++++------------
1 file changed, 46 insertions(+), 26 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -2306,6 +2306,37 @@ static void amdgpu_vm_bo_insert_map(stru
trace_amdgpu_vm_bo_map(bo_va, mapping);
}
+/* Validate operation parameters to prevent potential abuse */
+static int amdgpu_vm_verify_parameters(struct amdgpu_device *adev,
+ struct amdgpu_bo *bo,
+ uint64_t saddr,
+ uint64_t offset,
+ uint64_t size)
+{
+ uint64_t tmp, lpfn;
+
+ if (saddr & AMDGPU_GPU_PAGE_MASK
+ || offset & AMDGPU_GPU_PAGE_MASK
+ || size & AMDGPU_GPU_PAGE_MASK)
+ return -EINVAL;
+
+ if (check_add_overflow(saddr, size, &tmp)
+ || check_add_overflow(offset, size, &tmp)
+ || size == 0 /* which also leads to end < begin */)
+ return -EINVAL;
+
+ /* make sure object fit at this offset */
+ if (bo && offset + size > amdgpu_bo_size(bo))
+ return -EINVAL;
+
+ /* Ensure last pfn not exceed max_pfn */
+ lpfn = (saddr + size - 1) >> AMDGPU_GPU_PAGE_SHIFT;
+ if (lpfn >= adev->vm_manager.max_pfn)
+ return -EINVAL;
+
+ return 0;
+}
+
/**
* amdgpu_vm_bo_map - map bo inside a vm
*
@@ -2332,21 +2363,14 @@ int amdgpu_vm_bo_map(struct amdgpu_devic
struct amdgpu_bo *bo = bo_va->base.bo;
struct amdgpu_vm *vm = bo_va->base.vm;
uint64_t eaddr;
+ int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK)
- return -EINVAL;
- if (saddr + size <= saddr || offset + size <= offset)
- return -EINVAL;
-
- /* make sure object fit at this offset */
- eaddr = saddr + size - 1;
- if ((bo && offset + size > amdgpu_bo_size(bo)) ||
- (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
- return -EINVAL;
+ r = amdgpu_vm_verify_parameters(adev, bo, saddr, offset, size);
+ if (r)
+ return r;
saddr /= AMDGPU_GPU_PAGE_SIZE;
- eaddr /= AMDGPU_GPU_PAGE_SIZE;
+ eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE;
tmp = amdgpu_vm_it_iter_first(&vm->va, saddr, eaddr);
if (tmp) {
@@ -2399,17 +2423,9 @@ int amdgpu_vm_bo_replace_map(struct amdg
uint64_t eaddr;
int r;
- /* validate the parameters */
- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK)
- return -EINVAL;
- if (saddr + size <= saddr || offset + size <= offset)
- return -EINVAL;
-
- /* make sure object fit at this offset */
- eaddr = saddr + size - 1;
- if ((bo && offset + size > amdgpu_bo_size(bo)) ||
- (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
- return -EINVAL;
+ r = amdgpu_vm_verify_parameters(adev, bo, saddr, offset, size);
+ if (r)
+ return r;
/* Allocate all the needed memory */
mapping = kmalloc(sizeof(*mapping), GFP_KERNEL);
@@ -2423,7 +2439,7 @@ int amdgpu_vm_bo_replace_map(struct amdg
}
saddr /= AMDGPU_GPU_PAGE_SIZE;
- eaddr /= AMDGPU_GPU_PAGE_SIZE;
+ eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE;
mapping->start = saddr;
mapping->last = eaddr;
@@ -2510,10 +2526,14 @@ int amdgpu_vm_bo_clear_mappings(struct a
struct amdgpu_bo_va_mapping *before, *after, *tmp, *next;
LIST_HEAD(removed);
uint64_t eaddr;
+ int r;
+
+ r = amdgpu_vm_verify_parameters(adev, NULL, saddr, 0, size);
+ if (r)
+ return r;
- eaddr = saddr + size - 1;
saddr /= AMDGPU_GPU_PAGE_SIZE;
- eaddr /= AMDGPU_GPU_PAGE_SIZE;
+ eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE;
/* Allocate all the needed memory */
before = kzalloc(sizeof(*before), GFP_KERNEL);
next prev parent reply other threads:[~2024-04-23 21:46 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-23 21:39 [PATCH 5.15 00/71] 5.15.157-rc1 review Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 01/71] ksmbd: dont send oplock break if rename fails Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 02/71] ksmbd: validate payload size in ipc response Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 03/71] ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 04/71] btrfs: record delayed inode root in transaction Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 05/71] SUNRPC: Fix rpcgss_context trace event acceptor field Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 06/71] selftests/ftrace: Limit length in subsystem-enable tests Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 07/71] bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 08/71] bpf: Generalize check_ctx_reg for reuse with other types Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 09/71] bpf: Generally fix helper register offset check Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 10/71] bpf: Fix out of bounds access for ringbuf helpers Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 11/71] bpf: Fix ringbuf memory type confusion when passing to helpers Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 12/71] kprobes: Fix possible use-after-free issue on kprobe registration Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 13/71] Revert "tracing/trigger: Fix to return error if failed to alloc snapshot" Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 14/71] Revert "lockd: introduce safe async lock op" Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 15/71] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 16/71] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 17/71] netfilter: br_netfilter: skip conntrack input hook for promisc packets Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 18/71] netfilter: nft_set_pipapo: do not free live element Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 19/71] netfilter: nf_flow_table: count pending offload workqueue tasks Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 20/71] netfilter: flowtable: validate pppoe header Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 21/71] netfilter: flowtable: incorrect pppoe tuple Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 22/71] af_unix: Call manage_oob() for every skb in unix_stream_read_generic() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 23/71] af_unix: Dont peek OOB data without MSG_OOB Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 24/71] tun: limit printing rate when illegal packet received by tun dev Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 25/71] net: dsa: mt7530: fix mirroring frames received on local port Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 26/71] net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 27/71] RDMA/rxe: Fix the problem "mutex_destroy missing" Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 28/71] RDMA/cm: Print the old state when cm_destroy_id gets timeout Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 29/71] RDMA/mlx5: Fix port number for counter query in multi-port configuration Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 30/71] s390/qdio: handle deferred cc1 Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 31/71] s390/cio: fix race condition during online processing Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 32/71] drm: nv04: Fix out of bounds access Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 33/71] drm/panel: visionox-rm69299: dont unregister DSI device Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 34/71] clk: Remove prepare_lock hold assertion in __clk_release() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 35/71] clk: Mark all_lists as const Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 36/71] clk: remove extra empty line Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 37/71] clk: Print an info line before disabling unused clocks Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 38/71] clk: Initialize struct clk_core kref earlier Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 39/71] clk: Get runtime PM before walking tree during disable_unused Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 40/71] x86/bugs: Fix BHI retpoline check Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 41/71] x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 42/71] thunderbolt: Avoid notify PM core about runtime PM resume Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 43/71] thunderbolt: Fix wake configurations after device unplug Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 44/71] comedi: vmk80xx: fix incomplete endpoint checking Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 45/71] serial/pmac_zilog: Remove flawed mitigation for rx irq flood Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 46/71] USB: serial: option: add Fibocom FM135-GL variants Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 47/71] USB: serial: option: add support for Fibocom FM650/FG650 Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 48/71] USB: serial: option: add Lonsung U8300/U9300 product Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 49/71] USB: serial: option: support Quectel EM060K sub-models Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 50/71] USB: serial: option: add Rolling RW101-GL and RW135-GL support Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 51/71] USB: serial: option: add Telit FN920C04 rmnet compositions Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 52/71] Revert "usb: cdc-wdm: close race between read and workqueue" Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 53/71] usb: dwc2: host: Fix dereference issue in DDMA completion flow Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 54/71] usb: Disable USB3 LPM at shutdown Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 55/71] usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 56/71] mei: me: disable RPL-S on SPS and IGN firmwares Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 57/71] speakup: Avoid crash on very long word Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 58/71] fs: sysfs: Fix reference leak in sysfs_break_active_protection() Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 59/71] KVM: x86: Snapshot if a vCPUs vendor model is AMD vs. Intel compatible Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 60/71] KVM: x86/pmu: Do not mask LVTPC when handling a PMI on AMD platforms Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 61/71] arm64: hibernate: Fix level3 translation fault in swsusp_save() Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 62/71] init/main.c: Fix potential static_command_line memory overflow Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 63/71] binder: check offset alignment in binder_get_object() Greg Kroah-Hartman
2024-04-23 21:40 ` Greg Kroah-Hartman [this message]
2024-04-23 21:40 ` [PATCH 5.15 65/71] drm/vmwgfx: Sort primary plane formats by order of preference Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 66/71] nouveau: fix instmem race condition around ptr stores Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 67/71] nilfs2: fix OOB in nilfs_set_de_type Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 68/71] net: dsa: mt7530: set all CPU ports in MT7531_CPU_PMAP Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 69/71] net: dsa: introduce preferred_default_local_cpu_port and use on MT7530 Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 70/71] net: dsa: mt7530: fix improper frames on all 25MHz and 40MHz XTAL MT7530 Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 71/71] net: dsa: mt7530: fix enabling EEE on MT7531 switch on all boards Greg Kroah-Hartman
2024-04-23 23:00 ` [PATCH 5.15 00/71] 5.15.157-rc1 review SeongJae Park
2024-04-23 23:32 ` Florian Fainelli
2024-04-24 7:25 ` Pavel Machek
2024-04-24 7:32 ` Pavel Machek
2024-04-24 7:57 ` Naresh Kamboju
2024-04-24 9:21 ` Peter Oberparleiter
2024-04-27 14:26 ` Greg Kroah-Hartman
2024-04-24 8:28 ` Ron Economos
2024-04-24 9:30 ` Harshit Mogalapalli
2024-04-25 8:59 ` Jon Hunter
2024-04-25 20:19 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240423213846.402979155@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.deucher@amd.com \
--cc=christian.koenig@amd.com \
--cc=hexed@google.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=xinhui.pan@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox