[PATCH v7 07/14] drm/amdgpu: validate userq buffer virtual address and size
Liang, Prike
Prike.Liang at amd.com
Tue Jul 22 09:05:01 UTC 2025
[Public]
This patch will be updated in the next version.
Regards,
Prike
> -----Original Message-----
> From: Liang, Prike <Prike.Liang at amd.com>
> Sent: Tuesday, July 22, 2025 3:46 PM
> To: amd-gfx at lists.freedesktop.org
> Cc: Deucher, Alexander <Alexander.Deucher at amd.com>; Koenig, Christian
> <Christian.Koenig at amd.com>; Liang, Prike <Prike.Liang at amd.com>; Deucher,
> Alexander <Alexander.Deucher at amd.com>
> Subject: [PATCH v7 07/14] drm/amdgpu: validate userq buffer virtual address and
> size
>
> It needs to validate the userq object virtual address to determin whether it is
> residented in a valid vm mapping.
>
> Signed-off-by: Prike Liang <Prike.Liang at amd.com>
> Reviewed-by: Alex Deucher <alexander.deucher at amd.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 39 ++++++++++++++++++++++
> drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h | 2 ++
> drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 22 ++++++++++++
> 3 files changed, 63 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> index b670ca8111f3..52dc64384bdc 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> @@ -44,6 +44,36 @@ u32 amdgpu_userq_get_supported_ip_mask(struct
> amdgpu_device *adev)
> return userq_ip_mask;
> }
>
> +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> + u64 expected_size)
> +{
> + struct amdgpu_bo_va_mapping *va_map;
> + u64 user_addr;
> + u64 size;
> + int r = 0;
> +
> + user_addr = (addr & AMDGPU_GMC_HOLE_MASK) >>
> AMDGPU_GPU_PAGE_SHIFT;
> + size = expected_size >> AMDGPU_GPU_PAGE_SHIFT;
> +
> + r = amdgpu_bo_reserve(vm->root.bo, false);
> + if (r)
> + return r;
> +
> + va_map = amdgpu_vm_bo_lookup_mapping(vm, user_addr);
> + if (!va_map) {
> + r = -EINVAL;
> + goto out_err;
> + }
> + /* Only validate the userq whether resident in the VM mapping range */
> + if (user_addr >= va_map->last ||
> + va_map->last - user_addr + 1 > size)
> + r = -EINVAL;
> +
> +out_err:
> + amdgpu_bo_unreserve(vm->root.bo);
> + return r;
> +}
> +
> static int
> amdgpu_userq_unmap_helper(struct amdgpu_userq_mgr *uq_mgr,
> struct amdgpu_usermode_queue *queue) @@ -399,6
> +429,15 @@ amdgpu_userq_create(struct drm_file *filp, union drm_amdgpu_userq
> *args)
> r = -ENOMEM;
> goto unlock;
> }
> +
> + /* Validate the userq virtual address.*/
> + if (amdgpu_userq_input_va_validate(&fpriv->vm, args->in.queue_va, args-
> >in.queue_size) ||
> + amdgpu_userq_input_va_validate(&fpriv->vm, args->in.rptr_va,
> PAGE_SIZE) ||
> + amdgpu_userq_input_va_validate(&fpriv->vm, args->in.wptr_va,
> PAGE_SIZE)) {
> + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> + kfree(queue);
> + goto unlock;
> + }
> queue->doorbell_handle = args->in.doorbell_handle;
> queue->queue_type = args->in.ip_type;
> queue->vm = &fpriv->vm;
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> index 694f850d102e..0eb2a9c2e340 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> @@ -135,4 +135,6 @@ int amdgpu_userq_stop_sched_for_enforce_isolation(struct
> amdgpu_device *adev, int amdgpu_userq_start_sched_for_enforce_isolation(struct
> amdgpu_device *adev,
> u32 idx);
>
> +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> + u64 expected_size);
> #endif
> diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> index 1457fb49a794..6e29e85bbf9f 100644
> --- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> +++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> @@ -206,6 +206,7 @@ static int mes_userq_mqd_create(struct
> amdgpu_userq_mgr *uq_mgr,
> struct amdgpu_mqd *mqd_hw_default = &adev->mqds[queue->queue_type];
> struct drm_amdgpu_userq_in *mqd_user = args_in;
> struct amdgpu_mqd_prop *userq_props;
> + struct amdgpu_gfx_shadow_info shadow_info;
> int r;
>
> /* Structure to initialize MQD for userqueue using generic MQD init function */
> @@ -231,6 +232,8 @@ static int mes_userq_mqd_create(struct
> amdgpu_userq_mgr *uq_mgr,
> userq_props->doorbell_index = queue->doorbell_index;
> userq_props->fence_address = queue->fence_drv->gpu_addr;
>
> + if (adev->gfx.funcs->get_gfx_shadow_info)
> + adev->gfx.funcs->get_gfx_shadow_info(adev, &shadow_info, true);
> if (queue->queue_type == AMDGPU_HW_IP_COMPUTE) {
> struct drm_amdgpu_userq_mqd_compute_gfx11 *compute_mqd;
>
> @@ -247,6 +250,12 @@ static int mes_userq_mqd_create(struct
> amdgpu_userq_mgr *uq_mgr,
> goto free_mqd;
> }
>
> + if (amdgpu_userq_input_va_validate(queue->vm, compute_mqd-
> >eop_va,
> + max_t(u32, PAGE_SIZE,
> AMDGPU_GPU_PAGE_SIZE))) {
> + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> + goto free_mqd;
> + }
> +
> userq_props->eop_gpu_addr = compute_mqd->eop_va;
> userq_props->hqd_pipe_priority =
> AMDGPU_GFX_PIPE_PRIO_NORMAL;
> userq_props->hqd_queue_priority =
> AMDGPU_GFX_QUEUE_PRIORITY_MINIMUM;
> @@ -274,6 +283,13 @@ static int mes_userq_mqd_create(struct
> amdgpu_userq_mgr *uq_mgr,
> userq_props->csa_addr = mqd_gfx_v11->csa_va;
> userq_props->tmz_queue =
> mqd_user->flags &
> AMDGPU_USERQ_CREATE_FLAGS_QUEUE_SECURE;
> +
> + if (amdgpu_userq_input_va_validate(queue->vm, mqd_gfx_v11-
> >shadow_va,
> + shadow_info.shadow_size)) {
> + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> + goto free_mqd;
> + }
> +
> kfree(mqd_gfx_v11);
> } else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
> struct drm_amdgpu_userq_mqd_sdma_gfx11 *mqd_sdma_v11; @@
> -291,6 +307,12 @@ static int mes_userq_mqd_create(struct amdgpu_userq_mgr
> *uq_mgr,
> goto free_mqd;
> }
>
> + if (amdgpu_userq_input_va_validate(queue->vm, mqd_sdma_v11-
> >csa_va,
> + shadow_info.csa_size)) {
> + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> + goto free_mqd;
> + }
> +
> userq_props->csa_addr = mqd_sdma_v11->csa_va;
> kfree(mqd_sdma_v11);
> }
> --
> 2.34.1
More information about the amd-gfx
mailing list