Commit cd7cfcdb authored by Ce Sun's avatar Ce Sun Committed by Alex Deucher
Browse files

drm/amdgpu: avoid integer overflow in VA range check 



The original addition operation in 64-bit unsigned type may encounter
overflow situations. To prevent such issues and safely reject invalid
inputs, the check_add_overflow() function is used.

Signed-off-by: default avatarCe Sun <cesun102@amd.com>
Reviewed-by: default avatarTao Zhou <tao.zhou1@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
(cherry picked from commit cc768f4dd0bb9083c813683eeec44fc23921f771)
parent 893fea60

drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c

+2 −2
Original line number Diff line number Diff line
@@ -825,7 +825,7 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data, 
	struct drm_syncobj *timeline_syncobj = NULL;

	struct dma_fence_chain *timeline_chain = NULL;

	struct drm_exec exec;

	uint64_t vm_size;

	uint64_t vm_size, tmp;

	int r = 0;



	/* Validate virtual address range against reserved regions. */
@@ -849,7 +849,7 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data, 


	vm_size = adev->vm_manager.max_pfn * AMDGPU_GPU_PAGE_SIZE;

	vm_size -= AMDGPU_VA_RESERVED_TOP;

	if (args->va_address + args->map_size > vm_size) {

	if (check_add_overflow(args->va_address, args->map_size, &tmp) || tmp > vm_size) {

		dev_dbg(dev->dev,

			"va_address 0x%llx is in top reserved area 0x%llx\n",

			args->va_address + args->map_size, vm_size);