[PATCH v3 4/4] drm/panthor: Check for sparse binding range overflow
From: Adrián Larumbe
Date: Mon Jun 29 2026 - 16:19:21 EST
This check is being already carried out further down the call stack inside
drm_gpuvm_sm_map -> drm_gpuvm_range_valid, but it's best to fail early in
the driver before GPUVM functions are invoked so that we won't waste time
allocating vm_bind context resources.
Reported-by: Sashiko <noreply@xxxxxxxxxxx>
Closes: https://sashiko.dev/#/message/20260623204220.CDB1B1F000E9%40smtp.kernel.org
Fixes: 12cf826bf1dd ("drm/panthor: Support sparse mappings")
Signed-off-by: Adrián Larumbe <adrian.larumbe@xxxxxxxxxxxxx>
---
drivers/gpu/drm/panthor/panthor_mmu.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
index 77fdad4e5166..8bd9b975e5ce 100644
--- a/drivers/gpu/drm/panthor/panthor_mmu.c
+++ b/drivers/gpu/drm/panthor/panthor_mmu.c
@@ -1328,6 +1328,7 @@ static int panthor_vm_prepare_map_op_ctx(struct panthor_vm_op_ctx *op_ctx,
struct drm_gpuvm_bo *preallocated_vm_bo;
struct sg_table *sgt = NULL;
int ret;
+ u64 end;
if (!bo)
return -EINVAL;
@@ -1353,6 +1354,10 @@ static int panthor_vm_prepare_map_op_ctx(struct panthor_vm_op_ctx *op_ctx,
if (is_sparse && (op->bo_handle || op->bo_offset))
return -EINVAL;
+ /* Protect against sparse VA range overflow */
+ if (is_sparse && check_add_overflow(op->va, op->size, &end))
+ return -EINVAL;
+
/* If the BO has an exclusive VM attached, it can't be mapped to other VMs. */
if (bo->exclusive_vm_root_gem &&
bo->exclusive_vm_root_gem != panthor_vm_root_gem(vm))
@@ -1418,7 +1423,9 @@ static int panthor_vm_prepare_unmap_op_ctx(struct panthor_vm_op_ctx *op_ctx,
struct panthor_vm *vm,
const struct drm_panthor_vm_bind_op *op)
{
+ bool is_sparse = op->flags & DRM_PANTHOR_VM_BIND_OP_MAP_SPARSE;
u32 pt_count = 0;
+ u64 end;
int ret;
memset(op_ctx, 0, sizeof(*op_ctx));
@@ -1432,6 +1439,10 @@ static int panthor_vm_prepare_unmap_op_ctx(struct panthor_vm_op_ctx *op_ctx,
if (op->va != ALIGN(op->va, SZ_2M))
pt_count++;
+ /* Protect against sparse VA range overflow */
+ if (is_sparse && check_add_overflow(op->va, op->size, &end))
+ return -EINVAL;
+
if (op->va + op->size != ALIGN(op->va + op->size, SZ_2M) &&
ALIGN(op->va + op->size, SZ_2M) != ALIGN(op->va, SZ_2M))
pt_count++;
--
2.54.0