On 23.06.2026 20:14, [email protected] wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
> to consider:
> - [Medium] Integer overflow in `panthor_vm_is_kernel_address()` bypasses the 
> newly added kernel BO range check.
> --
> 
> commit 517863d5c6821783c9329a7a6ac1663177dce0ba
> Author: Adrián Larumbe <[email protected]>
> 
> drm/panthor: Add vm_bind region with kbo range intersection check
> 
> This commit adds a check during VM binding to ensure that user-exposed BO
> mappings do not intersect with the virtual address space carve-out reserved
> for kernel BOs. It introduces panthor_vm_is_kernel_address() to evaluate if
> the requested mapping overlaps with the kernel VA range.
> 
> > diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c 
> > b/drivers/gpu/drm/panthor/panthor_mmu.c
> > index 31cc57029c12c..5625f3d340318 100644
> > --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> > +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> 
> [ ... ]
> 
> > @@ -1309,6 +1318,24 @@ static int panthor_vm_op_ctx_prealloc_pts(struct 
> > panthor_vm_op_ctx *op_ctx)
> >     return 0;
> >  }
> >  
> > +static bool
> > +panthor_vm_is_kernel_address(struct panthor_vm *vm,
> > +                        const struct drm_panthor_vm_bind_op *op)
> > +{
> > +   u32 op_type = op->flags & DRM_PANTHOR_VM_BIND_OP_TYPE_MASK;
> > +   u64 end, kstart, krange, kend;
> > +
> > +   if (op_type == DRM_PANTHOR_VM_BIND_OP_TYPE_SYNC_ONLY)
> > +           return false;
> > +
> > +   end = op->va + op->size;
> > +   kstart = vm->kernel_va.start;
> > +   krange = vm->kernel_va.range;
> > +   kend = kstart + krange;
> > +
> > +   return krange && op->va < kend && kstart < end;
> 
> [Severity: Medium]
> Can this calculation integer overflow?
> 
> If a user provides an op->va and op->size that wrap around a 64-bit integer
> when added, end becomes a small value.
> 
> This would cause the intersection check (kstart < end) to evaluate to false,
> bypassing the newly added kernel BO range check.
> 
> Should this use an overflow safe check to validate the range before checking
> the intersection?

Will address in v3.

> > +}
> 
> -- 
> Sashiko AI review · 
> https://sashiko.dev/#/patchset/[email protected]?part=1

Adrian Larumbe

Reply via email to