Re: [PATCH] drm/amdgpu: reject non-user addresses early in GEM_USERPTR ioctl

Fri, 08 May 2026 07:07:48 -0700 

On Thu, May 7, 2026 at 1:39 PM Amir Shetaia <[email protected]> wrote:
>
> From: Amir Shetaia <[email protected]>
>
> amdgpu_gem_userptr_ioctl() currently accepts any value of args->addr
> and only discovers an out-of-range pointer much later, inside
> amdgpu_gem_object_create() and the HMM mirror registration path.
> Userspace can drive that path with kernel-side virtual addresses;
> the get_user_pages() layer rejects them, but only after the driver
> has already allocated a GEM object and started wiring up notifier
> state that then has to be torn down on failure.
>
> Add an access_ok() guard at the top of the ioctl, right after the
> existing page-alignment check and before flag validation, so any
> address that does not lie within the calling task's user address
> range is rejected with -EFAULT before any allocation occurs. No
> legitimate ROCm/HSA userspace passes kernel-mode pointers through
> this interface, so this is defense-in-depth rather than a behaviour
> change for valid callers; -EFAULT matches the convention already
> used by other uaccess-style rejections in the kernel.
>
> Also add an explicit #include <linux/uaccess.h>; access_ok() is
> otherwise only available transitively through other headers in
> this translation unit.
>
> Signed-off-by: Amir Shetaia <[email protected]>

Reviewed-by: Alex Deucher <[email protected]>

> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c 
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index 0071d6957828..ad3d371ad7b9 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -32,6 +32,7 @@
>  #include <linux/pci.h>
>  #include <linux/dma-buf.h>
>  #include <linux/dma-fence-unwrap.h>
> +#include <linux/uaccess.h>
>
>  #include <drm/amdgpu_drm.h>
>  #include <drm/drm_drv.h>
> @@ -509,6 +510,9 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void 
> *data,
>         if (offset_in_page(args->addr | args->size))
>                 return -EINVAL;
>
> +       if (!access_ok((void __user *)(uintptr_t)args->addr, args->size))
> +               return -EFAULT;
> +
>         /* reject unknown flag values */
>         if (args->flags & ~(AMDGPU_GEM_USERPTR_READONLY |
>             AMDGPU_GEM_USERPTR_ANONONLY | AMDGPU_GEM_USERPTR_VALIDATE |
> --
> 2.43.0
>

Reply via email to