amdgpu: validate offset_in_bo of drm_amdgpu_gem_va

From Chia-I Wu
b10db1d2137415e5e7f9706d96cfe77539c499d4 in linux-6.1.y/6.1.39
9f0bcf49e9895cb005d78b33a5eebfa11711b425 in mainline linux

diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm.c
index d3a369f..1d6ff4d 100644 (file)
--- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm.c
+++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm.c
@@ -1489,14 +1489,14 @@ int amdgpu_vm_bo_map(struct amdgpu_device *adev,
        uint64_t eaddr;
 
        /* validate the parameters */
-       if (saddr & ~LINUX_PAGE_MASK || offset & ~LINUX_PAGE_MASK ||
-           size == 0 || size & ~LINUX_PAGE_MASK)
+       if (saddr & ~LINUX_PAGE_MASK || offset & ~LINUX_PAGE_MASK || size & ~LINUX_PAGE_MASK)
+               return -EINVAL;
+       if (saddr + size <= saddr || offset + size <= offset)
                return -EINVAL;
 
        /* make sure object fit at this offset */
        eaddr = saddr + size - 1;
-       if (saddr >= eaddr ||
-           (bo && offset + size > amdgpu_bo_size(bo)) ||
+       if ((bo && offset + size > amdgpu_bo_size(bo)) ||
            (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
                return -EINVAL;
 
@@ -1555,14 +1555,14 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev,
        int r;
 
        /* validate the parameters */
-       if (saddr & ~LINUX_PAGE_MASK || offset & ~LINUX_PAGE_MASK ||
-           size == 0 || size & ~LINUX_PAGE_MASK)
+       if (saddr & ~LINUX_PAGE_MASK || offset & ~LINUX_PAGE_MASK || size & ~LINUX_PAGE_MASK)
+               return -EINVAL;
+       if (saddr + size <= saddr || offset + size <= offset)
                return -EINVAL;
 
        /* make sure object fit at this offset */
        eaddr = saddr + size - 1;
-       if (saddr >= eaddr ||
-           (bo && offset + size > amdgpu_bo_size(bo)) ||
+       if ((bo && offset + size > amdgpu_bo_size(bo)) ||
            (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT))
                return -EINVAL;