!6716 CVE-2024-26922 (2f2cecd5) · Commits · EulixOS / Software / Kernel

drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c

+46 −24

Original line number	Diff line number	Diff line
		@@ -2048,6 +2048,37 @@ static void amdgpu_vm_bo_insert_map(struct amdgpu_device *adev,
		trace_amdgpu_vm_bo_map(bo_va, mapping);
		}

		/* Validate operation parameters to prevent potential abuse */
		static int amdgpu_vm_verify_parameters(struct amdgpu_device *adev,
		struct amdgpu_bo *bo,
		uint64_t saddr,
		uint64_t offset,
		uint64_t size)
		{
		uint64_t tmp, lpfn;

		if (saddr & AMDGPU_GPU_PAGE_MASK
		\|\| offset & AMDGPU_GPU_PAGE_MASK
		\|\| size & AMDGPU_GPU_PAGE_MASK)
		return -EINVAL;

		if (check_add_overflow(saddr, size, &tmp)
		\|\| check_add_overflow(offset, size, &tmp)
		\|\| size == 0 /* which also leads to end < begin */)
		return -EINVAL;

		/* make sure object fit at this offset */
		if (bo && offset + size > amdgpu_bo_size(bo))
		return -EINVAL;

		/* Ensure last pfn not exceed max_pfn */
		lpfn = (saddr + size - 1) >> AMDGPU_GPU_PAGE_SHIFT;
		if (lpfn >= adev->vm_manager.max_pfn)
		return -EINVAL;

		return 0;
		}

		/**
		* amdgpu_vm_bo_map - map bo inside a vm
		*
		@@ -2074,20 +2105,14 @@ int amdgpu_vm_bo_map(struct amdgpu_device *adev,
		struct amdgpu_bo *bo = bo_va->base.bo;
		struct amdgpu_vm *vm = bo_va->base.vm;
		uint64_t eaddr;
		int r;

		/* validate the parameters */
		if (saddr & AMDGPU_GPU_PAGE_MASK \|\| offset & AMDGPU_GPU_PAGE_MASK \|\|
		size == 0 \|\| size & AMDGPU_GPU_PAGE_MASK)
		return -EINVAL;

		/* make sure object fit at this offset */
		eaddr = saddr + size - 1;
		if (saddr >= eaddr \|\|
		(bo && offset + size > amdgpu_bo_size(bo)))
		return -EINVAL;
		r = amdgpu_vm_verify_parameters(adev, bo, saddr, offset, size);
		if (r)
		return r;

		saddr /= AMDGPU_GPU_PAGE_SIZE;
		eaddr /= AMDGPU_GPU_PAGE_SIZE;
		eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE;

		tmp = amdgpu_vm_it_iter_first(&vm->va, saddr, eaddr);
		if (tmp) {
		@@ -2140,16 +2165,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
		uint64_t eaddr;
		int r;

		/* validate the parameters */
		if (saddr & AMDGPU_GPU_PAGE_MASK \|\| offset & AMDGPU_GPU_PAGE_MASK \|\|
		size == 0 \|\| size & AMDGPU_GPU_PAGE_MASK)
		return -EINVAL;

		/* make sure object fit at this offset */
		eaddr = saddr + size - 1;
		if (saddr >= eaddr \|\|
		(bo && offset + size > amdgpu_bo_size(bo)))
		return -EINVAL;
		r = amdgpu_vm_verify_parameters(adev, bo, saddr, offset, size);
		if (r)
		return r;

		/* Allocate all the needed memory */
		mapping = kmalloc(sizeof(*mapping), GFP_KERNEL);
		@@ -2163,7 +2181,7 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
		}

		saddr /= AMDGPU_GPU_PAGE_SIZE;
		eaddr /= AMDGPU_GPU_PAGE_SIZE;
		eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE;

		mapping->start = saddr;
		mapping->last = eaddr;
		@@ -2250,10 +2268,14 @@ int amdgpu_vm_bo_clear_mappings(struct amdgpu_device *adev,
		struct amdgpu_bo_va_mapping before, after, tmp, next;
		LIST_HEAD(removed);
		uint64_t eaddr;
		int r;

		r = amdgpu_vm_verify_parameters(adev, NULL, saddr, 0, size);
		if (r)
		return r;

		eaddr = saddr + size - 1;
		saddr /= AMDGPU_GPU_PAGE_SIZE;
		eaddr /= AMDGPU_GPU_PAGE_SIZE;
		eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE;

		/* Allocate all the needed memory */
		before = kzalloc(sizeof(*before), GFP_KERNEL);