[PATCH 4/9] drm/amdgpu: validate userq buffer virtual address and size
Alex Deucher
alexdeucher at gmail.com
Fri May 30 21:48:20 UTC 2025
On Fri, May 30, 2025 at 3:56 AM Prike Liang <Prike.Liang at amd.com> wrote:
>
> It needs to validate the userq object virtual address whether
> it is validated in vm mapping.
>
> Signed-off-by: Prike Liang <Prike.Liang at amd.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 56 +++++++++++++++++++++-
> drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h | 2 +
> drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 25 +++++++++-
> 3 files changed, 80 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> index f45585bd5872..32e88064bdea 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> @@ -44,6 +44,41 @@ u32 amdgpu_userq_get_supported_ip_mask(struct amdgpu_device *adev)
> return userq_ip_mask;
> }
>
> +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> + u64 expected_size)
> +{
> + struct amdgpu_bo_va_mapping *mapping;
> + u64 user_addr;
> + u64 size;
> + int r;
> +
> + addr &= AMDGPU_GMC_HOLE_MASK;
> + user_addr = ALIGN_DOWN(addr >> AMDGPU_GPU_PAGE_SHIFT, 0x100);
> + size = expected_size >> AMDGPU_GPU_PAGE_SHIFT;
> +
> + r = amdgpu_bo_reserve(vm->root.bo, false);
> + if (r)
> + return r;
> +
> + mapping = amdgpu_vm_bo_lookup_mapping(vm, user_addr);
> + if (!mapping)
> + goto out_err;
> +
> + if (user_addr != mapping->start ||
> + (size != 0 && user_addr + size - 1 != mapping->last)) {
> + pr_debug("expected size 0x%llx not equal to mapping addr 0x%llx size 0x%llx\n",
> + expected_size, mapping->start << AMDGPU_GPU_PAGE_SHIFT,
> + (mapping->last - mapping->start + 1) << AMDGPU_GPU_PAGE_SHIFT);
> + goto out_err;
> + }
> + amdgpu_bo_unreserve(vm->root.bo);
> + return 0;
> +
> +out_err:
> + amdgpu_bo_unreserve(vm->root.bo);
> + return -EINVAL;
> +}
> +
> static int
> amdgpu_userq_unmap_helper(struct amdgpu_userq_mgr *uq_mgr,
> struct amdgpu_usermode_queue *queue)
> @@ -394,6 +429,17 @@ amdgpu_userq_create(struct drm_file *filp, union drm_amdgpu_userq *args)
> r = -EINVAL;
> goto unlock;
> }
> + /* Validate the userq virtual address.
> + * TODO: Need to firgure out why the queue_size(args->in.queue_size)) doesn't match
> + * with mesa request size. As a workaround there fix the queue_size to the 0x200000.
> + */
We just want to validate that the queue is fully within a valid
virtual address range for a single buffer. It doesn't matter if the
queue address is at the start. Mesa could allocate a single buffer
for all of its user queues and then suballocate ring buffers and other
metadata out of the memory.
Alex
> + if (amdgpu_userq_input_va_validate(&fpriv->vm, args->in.queue_va, 0x200000) ||
> + amdgpu_userq_input_va_validate(&fpriv->vm, args->in.rptr_va, PAGE_SIZE) ||
> + amdgpu_userq_input_va_validate(&fpriv->vm, args->in.wptr_va, PAGE_SIZE)) {
> + drm_file_err(uq_mgr->file, "Usermode queue input virt address is invalidated\n");
> + r = -EINVAL;
> + goto unlock;
> + }
>
> queue = kzalloc(sizeof(struct amdgpu_usermode_queue), GFP_KERNEL);
> if (!queue) {
> @@ -504,11 +550,17 @@ static int amdgpu_userq_input_args_validate(struct drm_device *dev,
> }
>
> if (args->in.queue_va == AMDGPU_BO_INVALID_OFFSET ||
> - args->in.queue_size == 0) {
> + args->in.queue_size == 0 ||
> + !access_ok(u64_to_user_ptr(args->in.queue_va & AMDGPU_GMC_HOLE_MASK),
> + args->in.queue_size)) {
> drm_file_err(filp, "invalidate userq queue va or size\n");
> return -EINVAL;
> }
> - if (!args->in.wptr_va || !args->in.rptr_va) {
> + if (!args->in.wptr_va || !args->in.rptr_va ||
> + !access_ok(u64_to_user_ptr(args->in.wptr_va & AMDGPU_GMC_HOLE_MASK),
> + sizeof(uint64_t)) ||
> + !access_ok(u64_to_user_ptr(args->in.rptr_va & AMDGPU_GMC_HOLE_MASK),
> + sizeof(uint64_t))) {
> drm_file_err(filp, "invalidate userq queue rptr or wptr\n");
> return -EINVAL;
> }
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> index ec040c2fd6c9..375fba639c94 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> @@ -132,4 +132,6 @@ int amdgpu_userq_stop_sched_for_enforce_isolation(struct amdgpu_device *adev,
> int amdgpu_userq_start_sched_for_enforce_isolation(struct amdgpu_device *adev,
> u32 idx);
>
> +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> + u64 expected_size);
> #endif
> diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> index b46e67b179fc..4ba064e6dda0 100644
> --- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> +++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> @@ -28,6 +28,7 @@
>
> #define AMDGPU_USERQ_PROC_CTX_SZ PAGE_SIZE
> #define AMDGPU_USERQ_GANG_CTX_SZ PAGE_SIZE
> +#define MQD_SHADOW_BASE_SIZE 73728
>
> static int
> mes_userq_map_gtt_bo_to_gart(struct amdgpu_bo *bo)
> @@ -246,6 +247,19 @@ static int mes_userq_mqd_create(struct amdgpu_userq_mgr *uq_mgr,
> r = -ENOMEM;
> goto free_mqd;
> }
> + /*
> + * EOP VA size = MEC_HPD_SIZE * adev->gfx.num_compute_rings.
> + * Since the userq support newer than gfx10, so the keep MEC_HPD_SIZE as 2048.
> + * TODO: It requires figuring out why the EOP VA not match with MEC_HPD_SIZE *
> + * adev->gfx.num_compute_rings.
> + */
The EOP size is MEC_HPD_SIZE. We only multiply it by
adev->gfx.num_compute_rings for kernel queues because we use one
allocation for the EOP buffer for all of the kernel queues.
> + if (amdgpu_userq_input_va_validate(queue->vm, compute_mqd->eop_va,
> + /*ALIGN(2048 * adev->gfx.num_compute_rings, PAGE_SIZE)*/
> + 0x200000)) {
> + drm_file_err(uq_mgr->file, "EOP VA is invalidated\n");
> + r = -EINVAL;
> + goto free_mqd;
> + }
>
> userq_props->eop_gpu_addr = compute_mqd->eop_va;
> userq_props->hqd_pipe_priority = AMDGPU_GFX_PIPE_PRIO_NORMAL;
> @@ -274,6 +288,15 @@ static int mes_userq_mqd_create(struct amdgpu_userq_mgr *uq_mgr,
> userq_props->csa_addr = mqd_gfx_v11->csa_va;
> userq_props->tmz_queue =
> mqd_user->flags & AMDGPU_USERQ_CREATE_FLAGS_QUEUE_SECURE;
> +
> + /* TODO: Need to check the shadow WA size doesn't match with mesa request.*/
> + if (amdgpu_userq_input_va_validate(queue->vm, mqd_gfx_v11->shadow_va,
> + 0x200000)) {
The shadow size should >= the shadow size defined in struct
amdgpu_gfx_shadow_info and returned by
adev->gfx.funcs->get_gfx_shadow_info().
> + drm_file_err(uq_mgr->file, "shadow VA is invalidated\n");
> + r = -EINVAL;
> + goto free_mqd;
> + }
> +
> kfree(mqd_gfx_v11);
> } else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
> struct drm_amdgpu_userq_mqd_sdma_gfx11 *mqd_sdma_v11;
> @@ -290,7 +313,7 @@ static int mes_userq_mqd_create(struct amdgpu_userq_mgr *uq_mgr,
> r = -ENOMEM;
> goto free_mqd;
> }
> -
> + /* TODO: validate the csa and check the va size as well.*/
See adev->gfx.funcs->get_gfx_shadow_info() here as well.
Alex
> userq_props->csa_addr = mqd_sdma_v11->csa_va;
> kfree(mqd_sdma_v11);
> }
> --
> 2.34.1
>
More information about the amd-gfx
mailing list