[PATCH] drm/amdgpu: Fix PRT VA handling and guard BO access in VA update path

[Srinivasan Shanmugam]

PRT (Page Request Table) mappings are not backed by a real buffer.  In
this case, bo_va is valid, but bo_va->bo is NULL, meaning the mapping
exists but does not point to any real buffer object.

amdgpu_gem_va_ioctl() currently mixes CLEAR and PRT handling, which can
result in incorrect bo_va selection. CLEAR should use bo_va = NULL,
while PRT should use the special fpriv->prt_va mapping.

Fix this by clearly selecting bo_va:
- use fpriv->prt_va for PRT
- use NULL only for CLEAR
- use amdgpu_vm_bo_find() for normal BO mappings

Also, amdgpu_gem_va_update_vm() accesses bo_va->base.bo without checking
if it is NULL. This is not valid for PRT mappings.

This keeps CLEAR, PRT, and normal cases separate and avoids invalid
memory access.

Cc: Alex Deucher <alexander.deuc...@amd.com>
Suggested-by: Christian König <christian.koe...@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmu...@amd.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c 
b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index b0ba2bdaf43a..289d6b58b579 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -772,8 +772,10 @@ amdgpu_gem_va_update_vm(struct amdgpu_device *adev,
        if (r)
                goto error;
 
+       /* Only do BO-specific handling if this VA is backed by a real BO */
        if ((operation == AMDGPU_VA_OP_MAP ||
             operation == AMDGPU_VA_OP_REPLACE) &&
+           bo_va->base.bo &&
            !amdgpu_vm_is_bo_always_valid(vm, bo_va->base.bo)) {
 
                /*
@@ -909,15 +911,23 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void 
*data,
                        goto error;
        }
 
-       /* Resolve the BO-VA mapping for this VM/BO combination. */
-       if (abo) {
+       /* Resolve the BO-VA mapping for this VM/BO combination.
+        *
+        * Depending on the case decide bo_va:
+        * - PRT: use special per-file prt_va (bo_va valid, but bo_va->bo == 
NULL)
+        * - CLEAR: no BO involved → bo_va = NULL
+        * - Normal BO path: lookup mapping from VM
+        */
+       if (args->flags & AMDGPU_VM_PAGE_PRT) {
+               bo_va = fpriv->prt_va;
+       } else if (args->operation == AMDGPU_VA_OP_CLEAR) {
+               bo_va = NULL;
+       } else if (abo) {
                bo_va = amdgpu_vm_bo_find(&fpriv->vm, abo);
                if (!bo_va) {
                        r = -ENOENT;
                        goto error;
                }
-       } else if (args->operation != AMDGPU_VA_OP_CLEAR) {
-               bo_va = fpriv->prt_va;
        } else {
                bo_va = NULL;
        }
-- 
2.34.1