Re: [PATCH v3 4/4] drm/panthor: Check for sparse binding range overflow

From: Boris Brezillon

Date: Tue Jun 30 2026 - 04:24:02 EST


On Mon, 29 Jun 2026 21:17:08 +0100
Adrián Larumbe <adrian.larumbe@xxxxxxxxxxxxx> wrote:

> This check is being already carried out further down the call stack inside
> drm_gpuvm_sm_map -> drm_gpuvm_range_valid, but it's best to fail early in
> the driver before GPUVM functions are invoked so that we won't waste time
> allocating vm_bind context resources.
>
> Reported-by: Sashiko <noreply@xxxxxxxxxxx>
> Closes: https://sashiko.dev/#/message/20260623204220.CDB1B1F000E9%40smtp.kernel.org
> Fixes: 12cf826bf1dd ("drm/panthor: Support sparse mappings")
> Signed-off-by: Adrián Larumbe <adrian.larumbe@xxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/panthor/panthor_mmu.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
> index 77fdad4e5166..8bd9b975e5ce 100644
> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> @@ -1328,6 +1328,7 @@ static int panthor_vm_prepare_map_op_ctx(struct panthor_vm_op_ctx *op_ctx,
> struct drm_gpuvm_bo *preallocated_vm_bo;
> struct sg_table *sgt = NULL;
> int ret;
> + u64 end;
>
> if (!bo)
> return -EINVAL;
> @@ -1353,6 +1354,10 @@ static int panthor_vm_prepare_map_op_ctx(struct panthor_vm_op_ctx *op_ctx,
> if (is_sparse && (op->bo_handle || op->bo_offset))
> return -EINVAL;
>
> + /* Protect against sparse VA range overflow */
> + if (is_sparse && check_add_overflow(op->va, op->size, &end))
> + return -EINVAL;

Why should we limit this to sparse? Feels like the overflow check is
good to have for non-sparse as well.

> +
> /* If the BO has an exclusive VM attached, it can't be mapped to other VMs. */
> if (bo->exclusive_vm_root_gem &&
> bo->exclusive_vm_root_gem != panthor_vm_root_gem(vm))
> @@ -1418,7 +1423,9 @@ static int panthor_vm_prepare_unmap_op_ctx(struct panthor_vm_op_ctx *op_ctx,
> struct panthor_vm *vm,
> const struct drm_panthor_vm_bind_op *op)
> {
> + bool is_sparse = op->flags & DRM_PANTHOR_VM_BIND_OP_MAP_SPARSE;
> u32 pt_count = 0;
> + u64 end;
> int ret;
>
> memset(op_ctx, 0, sizeof(*op_ctx));
> @@ -1432,6 +1439,10 @@ static int panthor_vm_prepare_unmap_op_ctx(struct panthor_vm_op_ctx *op_ctx,
> if (op->va != ALIGN(op->va, SZ_2M))
> pt_count++;
>
> + /* Protect against sparse VA range overflow */
> + if (is_sparse && check_add_overflow(op->va, op->size, &end))
> + return -EINVAL;
> +
> if (op->va + op->size != ALIGN(op->va + op->size, SZ_2M) &&
> ALIGN(op->va + op->size, SZ_2M) != ALIGN(op->va, SZ_2M))
> pt_count++;
>