Re: [PATCH] drm/amdgpu: reject mapping info for unmapped BOs

From: Christian König

Date: Thu Jun 25 2026 - 04:47:02 EST


On 6/24/26 19:20, Yousef Alhouseen wrote:
> AMDGPU_GEM_OP_GET_MAPPING_INFO looks up the BO's VM mapping and then
> iterates the valid and invalid mapping lists unconditionally. A GEM BO can
> be queried before it has been mapped into the file VM, in which case
> amdgpu_vm_bo_find() returns NULL and the list walk dereferences it.

Mhm, that is not correct at all.

The bo_va is created when the handle is opened inside the filp and not when the first mapping is created.

Do you have a test case to reproduce the issue?

Thanks,
Christian.

>
> Return -ENOENT for an unmapped BO, matching the VA operation path that
> already rejects missing BO-VA state before touching the mapping lists.
>
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index 212c14d99..4b2699931 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -1087,6 +1087,12 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void *data,
> struct drm_amdgpu_gem_vm_entry *vm_entries;
> struct amdgpu_bo_va_mapping *mapping;
> int num_mappings = 0;
> +
> + if (!bo_va) {
> + r = -ENOENT;
> + goto out_exec;
> + }
> +
> /*
> * num_entries is set as an input to the size of the user-allocated array of
> * drm_amdgpu_gem_vm_entry stored at args->value.
> --
> 2.54.0
>