[PATCH v2 04/11] drm/amdgpu: validate userq buffer virtual address and size
Liang, Prike
Prike.Liang at amd.com
Thu Jun 19 09:56:37 UTC 2025
[Public]
Regards,
Prike
> -----Original Message-----
> From: amd-gfx <amd-gfx-bounces at lists.freedesktop.org> On Behalf Of Alex
> Deucher
> Sent: Tuesday, June 17, 2025 11:25 PM
> To: Liang, Prike <Prike.Liang at amd.com>
> Cc: amd-gfx at lists.freedesktop.org; Deucher, Alexander
> <Alexander.Deucher at amd.com>; Koenig, Christian <Christian.Koenig at amd.com>
> Subject: Re: [PATCH v2 04/11] drm/amdgpu: validate userq buffer virtual address
> and size
>
> On Tue, Jun 17, 2025 at 4:27 AM Prike Liang <Prike.Liang at amd.com> wrote:
> >
> > It needs to validate the userq object virtual address whether it is
> > validated in vm mapping.
> >
> > Signed-off-by: Prike Liang <Prike.Liang at amd.com>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 50
> > +++++++++++++++++++++- drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h |
> > 2 + drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 24 +++++++++++
> > 3 files changed, 74 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > index dca0f76c9fce..db47e90b8c83 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > @@ -31,6 +31,8 @@
> > #include "amdgpu_userq.h"
> > #include "amdgpu_userq_fence.h"
> >
> > +#define amdgpu_userq_va_align(va) (va & AMDGPU_GMC_HOLE_MASK) >>
> > +AMDGPU_GPU_PAGE_SHIFT
> > +
> > u32 amdgpu_userq_get_supported_ip_mask(struct amdgpu_device *adev) {
> > int i;
> > @@ -44,6 +46,36 @@ u32 amdgpu_userq_get_supported_ip_mask(struct
> amdgpu_device *adev)
> > return userq_ip_mask;
> > }
> >
> > +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> > + u64 expected_size) {
> > + struct amdgpu_bo_va_mapping *va_map;
> > + u64 user_addr;
> > + u64 size;
> > + int r;
> > +
> > + user_addr = amdgpu_userq_va_align(addr);
> > + size = expected_size >> AMDGPU_GPU_PAGE_SHIFT;
> > +
> > + r = amdgpu_bo_reserve(vm->root.bo, false);
> > + if (r)
> > + return r;
> > +
> > + va_map = amdgpu_vm_bo_lookup_mapping(vm, user_addr);
> > + if (!va_map)
> > + goto out_err;
> > + /* Only validate the userq whether residen in the VM mapping
> > + range */
>
> resident
>
> > + if (user_addr >= va_map->start &&
> > + (size != 0 && user_addr + size - 1 <=
> > + va_map->last)) {
>
> indentation here looks off.
>
> > + amdgpu_bo_unreserve(vm->root.bo);
> > + return 0;
> > + }
> > +
> > +out_err:
> > + amdgpu_bo_unreserve(vm->root.bo);
> > + return -EINVAL;
> > +}
> > +
> > static int
> > amdgpu_userq_unmap_helper(struct amdgpu_userq_mgr *uq_mgr,
> > struct amdgpu_usermode_queue *queue) @@
> > -391,6 +423,14 @@ amdgpu_userq_create(struct drm_file *filp, union
> drm_amdgpu_userq *args)
> > r = -EINVAL;
> > goto unlock;
> > }
> > + /* Validate the userq virtual address.*/
> > + if (amdgpu_userq_input_va_validate(&fpriv->vm, args->in.queue_va, args-
> >in.queue_size) ||
> > + amdgpu_userq_input_va_validate(&fpriv->vm, args->in.rptr_va,
> PAGE_SIZE) ||
> > + amdgpu_userq_input_va_validate(&fpriv->vm,
> > + args->in.wptr_va, PAGE_SIZE)) {
>
> indentation here looks off.
Note.
> > + drm_file_err(uq_mgr->file, "Usermode queue input virt address is
> invalid\n");
> > + r = -EINVAL;
> > + goto unlock;
> > + }
> >
> > queue = kzalloc(sizeof(struct amdgpu_usermode_queue), GFP_KERNEL);
> > if (!queue) {
> > @@ -501,11 +541,17 @@ static int amdgpu_userq_input_args_validate(struct
> drm_device *dev,
> > }
> >
> > if (args->in.queue_va == AMDGPU_BO_INVALID_OFFSET ||
> > - args->in.queue_size == 0) {
> > + args->in.queue_size == 0 ||
> > + !access_ok(u64_to_user_ptr(args->in.queue_va &
> AMDGPU_GMC_HOLE_MASK),
> > + args->in.queue_size)) {
>
> indentation here looks off.
>
> Also, the VAs are GPU virtual addresses not user virtual addresses so I don't think
> this check is valid.
But the userq input IOCTL argument object VA is a cpu pointer and that is also a cpu visible memory,
so here does it make sense to validate the cpu access through the access_ok()?
> > drm_file_err(filp, "invalidate userq queue va or size\n");
> > return -EINVAL;
> > }
> > - if (!args->in.wptr_va || !args->in.rptr_va) {
> > + if (!args->in.wptr_va || !args->in.rptr_va ||
> > + !access_ok(u64_to_user_ptr(args->in.wptr_va &
> AMDGPU_GMC_HOLE_MASK),
> > + sizeof(uint64_t)) ||
> > + !access_ok(u64_to_user_ptr(args->in.rptr_va &
> AMDGPU_GMC_HOLE_MASK),
> > + sizeof(uint64_t))) {
>
> Same comment here.
>
> > drm_file_err(filp, "invalidate userq queue rptr or wptr\n");
> > return -EINVAL;
> > }
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > index ec040c2fd6c9..704935ca0c36 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > @@ -132,4 +132,6 @@ int
> > amdgpu_userq_stop_sched_for_enforce_isolation(struct amdgpu_device *adev,
> int amdgpu_userq_start_sched_for_enforce_isolation(struct amdgpu_device *adev,
> > u32 idx);
> >
> > +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> > + u64 expected_size);
> > #endif
> > diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > index c6f7b613e684..6ba051bd3682 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > @@ -28,6 +28,8 @@
> >
> > #define AMDGPU_USERQ_PROC_CTX_SZ PAGE_SIZE #define
> > AMDGPU_USERQ_GANG_CTX_SZ PAGE_SIZE
> > +#define MQD_SHADOW_BASE_SIZE 73728
> > +#define MQD_FWWORKAREA_SIZE 484
>
> These might be different across IP versions. Might be better to query these from
> gfx? there is get_gfx_shadow_info in struct amdgpu_gfx_funcs.
I thought use the adev->gfx.funcs->get_gfx_shadow_info () before, but since the size is a constant and same value between gfx11/gfx12, so I simplify it as a constant assignment.
I will use the get information callback to adapt for the upcoming asics.
> Alex
>
> >
> > static int
> > mes_userq_map_gtt_bo_to_gart(struct amdgpu_bo *bo) @@ -254,6 +256,13
> > @@ static int mes_userq_mqd_create(struct amdgpu_userq_mgr *uq_mgr,
> > goto free_mqd;
> > }
> >
> > + if (amdgpu_userq_input_va_validate(queue->vm, compute_mqd-
> >eop_va,
> > + max_t(u32, PAGE_SIZE,
> AMDGPU_GPU_PAGE_SIZE))) {
> > + drm_file_err(uq_mgr->file, "EOP VA is invalid\n");
> > + r = -EINVAL;
> > + goto free_mqd;
> > + }
> > +
> > userq_props->eop_gpu_addr = compute_mqd->eop_va;
> > userq_props->hqd_pipe_priority =
> AMDGPU_GFX_PIPE_PRIO_NORMAL;
> > userq_props->hqd_queue_priority =
> > AMDGPU_GFX_QUEUE_PRIORITY_MINIMUM;
> > @@ -281,6 +290,14 @@ static int mes_userq_mqd_create(struct
> amdgpu_userq_mgr *uq_mgr,
> > userq_props->csa_addr = mqd_gfx_v11->csa_va;
> > userq_props->tmz_queue =
> > mqd_user->flags &
> > AMDGPU_USERQ_CREATE_FLAGS_QUEUE_SECURE;
> > +
> > + if (amdgpu_userq_input_va_validate(queue->vm, mqd_gfx_v11-
> >shadow_va,
> > + MQD_SHADOW_BASE_SIZE)) {
> > + drm_file_err(uq_mgr->file, "shadow VA is invalid\n");
> > + r = -EINVAL;
> > + goto free_mqd;
> > + }
> > +
> > kfree(mqd_gfx_v11);
> > } else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
> > struct drm_amdgpu_userq_mqd_sdma_gfx11 *mqd_sdma_v11;
> > @@ -298,6 +315,13 @@ static int mes_userq_mqd_create(struct
> amdgpu_userq_mgr *uq_mgr,
> > goto free_mqd;
> > }
> >
> > + if (amdgpu_userq_input_va_validate(queue->vm, mqd_sdma_v11-
> >csa_va,
> > + MQD_FWWORKAREA_SIZE)) {
> > + drm_file_err(uq_mgr->file, "CSA VA is invalid\n");
> > + r = -EINVAL;
> > + goto free_mqd;
> > + }
> > +
> > userq_props->csa_addr = mqd_sdma_v11->csa_va;
> > kfree(mqd_sdma_v11);
> > }
> > --
> > 2.34.1
> >
More information about the amd-gfx
mailing list