On Wed, Aug 27, 2025 at 7:41 AM Liang, Prike <prike.li...@amd.com> wrote:
>
> [Public]
>
> Regards,
> Prike
>
> > -----Original Message-----
> > From: Alex Deucher <alexdeuc...@gmail.com>
> > Sent: Tuesday, August 26, 2025 11:00 PM
> > To: Liang, Prike <prike.li...@amd.com>
> > Cc: amd-gfx@lists.freedesktop.org; Deucher, Alexander
> > <alexander.deuc...@amd.com>; Koenig, Christian <christian.koe...@amd.com>
> > Subject: Re: [PATCH v9 07/14] drm/amdgpu: validate userq buffer virtual
> > address
> > and size
> >
> > On Tue, Aug 26, 2025 at 4:03 AM Prike Liang <prike.li...@amd.com> wrote:
> > >
> > > It needs to validate the userq object virtual address to determin
> > > whether it is residented in a valid vm mapping.
> >
> > determine
> >
> > >
> > > Signed-off-by: Prike Liang <prike.li...@amd.com>
> > > Reviewed-by: Alex Deucher <alexander.deuc...@amd.com>
> > > ---
> > > drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 41
> > > ++++++++++++++++++++++ drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h |
> > > 2 ++ drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 22 ++++++++++++
> > > 3 files changed, 65 insertions(+)
> > >
> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > > b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > > index b670ca8111f3..0aeb7a96ccbf 100644
> > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
> > > @@ -44,6 +44,38 @@ u32 amdgpu_userq_get_supported_ip_mask(struct
> > amdgpu_device *adev)
> > > return userq_ip_mask;
> > > }
> > >
> > > +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> > > + u64 expected_size) {
> > > + struct amdgpu_bo_va_mapping *va_map;
> > > + u64 user_addr;
> > > + u64 size;
> > > + int r = 0;
> > > +
> > > + user_addr = (addr & AMDGPU_GMC_HOLE_MASK) >>
> > AMDGPU_GPU_PAGE_SHIFT;
> > > + size = expected_size >> AMDGPU_GPU_PAGE_SHIFT;
> > > +
> > > + r = amdgpu_bo_reserve(vm->root.bo, false);
> > > + if (r)
> > > + return r;
> > > +
> > > + va_map = amdgpu_vm_bo_lookup_mapping(vm, user_addr);
> > > + if (!va_map) {
> > > + r = -EINVAL;
> > > + goto out_err;
> > > + }
> > > + /* Only validate the userq whether resident in the VM mapping
> > > range */
> > > + if (user_addr >= va_map->start &&
> > > + va_map->last - user_addr + 1 >= size) {
> > > + amdgpu_bo_unreserve(vm->root.bo);
> > > + return 0;
> > > + }
> > > +
> > > +out_err:
> > > + amdgpu_bo_unreserve(vm->root.bo);
> > > + return r;
> > > +}
> > > +
> > > static int
> > > amdgpu_userq_unmap_helper(struct amdgpu_userq_mgr *uq_mgr,
> > > struct amdgpu_usermode_queue *queue) @@
> > > -399,6 +431,15 @@ amdgpu_userq_create(struct drm_file *filp, union
> > drm_amdgpu_userq *args)
> > > r = -ENOMEM;
> > > goto unlock;
> > > }
> > > +
> > > + /* Validate the userq virtual address.*/
> > > + if (amdgpu_userq_input_va_validate(&fpriv->vm, args->in.queue_va,
> > > args-
> > >in.queue_size) ||
> > > + amdgpu_userq_input_va_validate(&fpriv->vm, args->in.rptr_va,
> > PAGE_SIZE) ||
> > > + amdgpu_userq_input_va_validate(&fpriv->vm,
> > > + args->in.wptr_va, PAGE_SIZE)) {
> >
> > I think the sizes here should be AMDGPU_GPU_PAGE_SIZE rather than
> > PAGE_SIZE
> Yes, even the two value are equal but that more sense for validating the GPU
> VA.
Well, they don't have to be. E.g., if you compile the kernel with a
different page size they won't be equal. Plus some other platforms
default to a non-4K page.
Alex
>
> > > + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> > > + kfree(queue);
> > > + goto unlock;
> > > + }
> > > queue->doorbell_handle = args->in.doorbell_handle;
> > > queue->queue_type = args->in.ip_type;
> > > queue->vm = &fpriv->vm;
> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > > b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > > index 694f850d102e..0eb2a9c2e340 100644
> > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
> > > @@ -135,4 +135,6 @@ int
> > > amdgpu_userq_stop_sched_for_enforce_isolation(struct amdgpu_device *adev,
> > int amdgpu_userq_start_sched_for_enforce_isolation(struct amdgpu_device
> > *adev,
> > > u32 idx);
> > >
> > > +int amdgpu_userq_input_va_validate(struct amdgpu_vm *vm, u64 addr,
> > > + u64 expected_size);
> > > #endif
> > > diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > > b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > > index 1457fb49a794..6e29e85bbf9f 100644
> > > --- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > > +++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> > > @@ -206,6 +206,7 @@ static int mes_userq_mqd_create(struct
> > amdgpu_userq_mgr *uq_mgr,
> > > struct amdgpu_mqd *mqd_hw_default =
> > > &adev->mqds[queue->queue_type];
> > > struct drm_amdgpu_userq_in *mqd_user = args_in;
> > > struct amdgpu_mqd_prop *userq_props;
> > > + struct amdgpu_gfx_shadow_info shadow_info;
> > > int r;
> > >
> > > /* Structure to initialize MQD for userqueue using generic MQD
> > > init function */ @@ -231,6 +232,8 @@ static int
> > > mes_userq_mqd_create(struct
> > amdgpu_userq_mgr *uq_mgr,
> > > userq_props->doorbell_index = queue->doorbell_index;
> > > userq_props->fence_address = queue->fence_drv->gpu_addr;
> > >
> > > + if (adev->gfx.funcs->get_gfx_shadow_info)
> > > + adev->gfx.funcs->get_gfx_shadow_info(adev,
> > > + &shadow_info, true);
> > > if (queue->queue_type == AMDGPU_HW_IP_COMPUTE) {
> > > struct drm_amdgpu_userq_mqd_compute_gfx11
> > > *compute_mqd;
> > >
> > > @@ -247,6 +250,12 @@ static int mes_userq_mqd_create(struct
> > amdgpu_userq_mgr *uq_mgr,
> > > goto free_mqd;
> > > }
> > >
> > > + if (amdgpu_userq_input_va_validate(queue->vm, compute_mqd-
> > >eop_va,
> > > + max_t(u32, PAGE_SIZE,
> > AMDGPU_GPU_PAGE_SIZE))) {
> > > + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> >
> > Rather than setting the queue->state, just return -EINVAL. We shouldn't
> > create the
> > queue in the first place if the addresses are invalid.
> Note.
>
> > > + goto free_mqd;
> > > + }
> > > +
> > > userq_props->eop_gpu_addr = compute_mqd->eop_va;
> > > userq_props->hqd_pipe_priority =
> > AMDGPU_GFX_PIPE_PRIO_NORMAL;
> > > userq_props->hqd_queue_priority =
> > > AMDGPU_GFX_QUEUE_PRIORITY_MINIMUM;
> > > @@ -274,6 +283,13 @@ static int mes_userq_mqd_create(struct
> > amdgpu_userq_mgr *uq_mgr,
> > > userq_props->csa_addr = mqd_gfx_v11->csa_va;
> > > userq_props->tmz_queue =
> > > mqd_user->flags &
> > > AMDGPU_USERQ_CREATE_FLAGS_QUEUE_SECURE;
> > > +
> > > + if (amdgpu_userq_input_va_validate(queue->vm, mqd_gfx_v11-
> > >shadow_va,
> > > + shadow_info.shadow_size)) {
> > > + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> >
> > Same comment here.
> >
> > > + goto free_mqd;
> > > + }
> > > +
> > > kfree(mqd_gfx_v11);
> > > } else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
> > > struct drm_amdgpu_userq_mqd_sdma_gfx11 *mqd_sdma_v11;
> > > @@ -291,6 +307,12 @@ static int mes_userq_mqd_create(struct
> > amdgpu_userq_mgr *uq_mgr,
> > > goto free_mqd;
> > > }
> > >
> > > + if (amdgpu_userq_input_va_validate(queue->vm,
> > > mqd_sdma_v11-
> > >csa_va,
> > > + shadow_info.csa_size)) {
> > > + queue->state = AMDGPU_USERQ_STATE_INVALID_ARG;
> >
> > and here.
> >
> > Alex
> >
> > > + goto free_mqd;
> > > + }
> > > +
> > > userq_props->csa_addr = mqd_sdma_v11->csa_va;
> > > kfree(mqd_sdma_v11);
> > > }
> > > --
> > > 2.34.1
> > >
