On 23.06.2026 20:14, [email protected] wrote: > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) > to consider: > - [Medium] Integer overflow in `panthor_vm_is_kernel_address()` bypasses the > newly added kernel BO range check. > -- > > commit 517863d5c6821783c9329a7a6ac1663177dce0ba > Author: Adrián Larumbe <[email protected]> > > drm/panthor: Add vm_bind region with kbo range intersection check > > This commit adds a check during VM binding to ensure that user-exposed BO > mappings do not intersect with the virtual address space carve-out reserved > for kernel BOs. It introduces panthor_vm_is_kernel_address() to evaluate if > the requested mapping overlaps with the kernel VA range. > > > diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c > > b/drivers/gpu/drm/panthor/panthor_mmu.c > > index 31cc57029c12c..5625f3d340318 100644 > > --- a/drivers/gpu/drm/panthor/panthor_mmu.c > > +++ b/drivers/gpu/drm/panthor/panthor_mmu.c > > [ ... ] > > > @@ -1309,6 +1318,24 @@ static int panthor_vm_op_ctx_prealloc_pts(struct > > panthor_vm_op_ctx *op_ctx) > > return 0; > > } > > > > +static bool > > +panthor_vm_is_kernel_address(struct panthor_vm *vm, > > + const struct drm_panthor_vm_bind_op *op) > > +{ > > + u32 op_type = op->flags & DRM_PANTHOR_VM_BIND_OP_TYPE_MASK; > > + u64 end, kstart, krange, kend; > > + > > + if (op_type == DRM_PANTHOR_VM_BIND_OP_TYPE_SYNC_ONLY) > > + return false; > > + > > + end = op->va + op->size; > > + kstart = vm->kernel_va.start; > > + krange = vm->kernel_va.range; > > + kend = kstart + krange; > > + > > + return krange && op->va < kend && kstart < end; > > [Severity: Medium] > Can this calculation integer overflow? > > If a user provides an op->va and op->size that wrap around a 64-bit integer > when added, end becomes a small value. > > This would cause the intersection check (kstart < end) to evaluate to false, > bypassing the newly added kernel BO range check. > > Should this use an overflow safe check to validate the range before checking > the intersection?
Will address in v3. > > +} > > -- > Sashiko AI review · > https://sashiko.dev/#/patchset/[email protected]?part=1 Adrian Larumbe
