Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:
- [Medium] Integer overflow in `panthor_vm_is_kernel_address()` bypasses the 
newly added kernel BO range check.
--

commit 517863d5c6821783c9329a7a6ac1663177dce0ba
Author: Adrián Larumbe <[email protected]>

drm/panthor: Add vm_bind region with kbo range intersection check

This commit adds a check during VM binding to ensure that user-exposed BO
mappings do not intersect with the virtual address space carve-out reserved
for kernel BOs. It introduces panthor_vm_is_kernel_address() to evaluate if
the requested mapping overlaps with the kernel VA range.

> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c 
> b/drivers/gpu/drm/panthor/panthor_mmu.c
> index 31cc57029c12c..5625f3d340318 100644
> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c

[ ... ]

> @@ -1309,6 +1318,24 @@ static int panthor_vm_op_ctx_prealloc_pts(struct 
> panthor_vm_op_ctx *op_ctx)
>       return 0;
>  }
>  
> +static bool
> +panthor_vm_is_kernel_address(struct panthor_vm *vm,
> +                          const struct drm_panthor_vm_bind_op *op)
> +{
> +     u32 op_type = op->flags & DRM_PANTHOR_VM_BIND_OP_TYPE_MASK;
> +     u64 end, kstart, krange, kend;
> +
> +     if (op_type == DRM_PANTHOR_VM_BIND_OP_TYPE_SYNC_ONLY)
> +             return false;
> +
> +     end = op->va + op->size;
> +     kstart = vm->kernel_va.start;
> +     krange = vm->kernel_va.range;
> +     kend = kstart + krange;
> +
> +     return krange && op->va < kend && kstart < end;

[Severity: Medium]
Can this calculation integer overflow?

If a user provides an op->va and op->size that wrap around a 64-bit integer
when added, end becomes a small value.

This would cause the intersection check (kstart < end) to evaluate to false,
bypassing the newly added kernel BO range check.

Should this use an overflow safe check to validate the range before checking
the intersection?

> +}

-- 
Sashiko AI review · 
https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to