On 2026-06-24 15:49:32+01:00, Steven Price wrote:
> On 19/06/2026 13:41, Adrián Larumbe wrote:
>
> > When a VM is created, caller has to specify the range of the address space
> > carve-out set aside for mapping kernel BO's. That means vm_bind mappings of
> > UM-exposed BO's should not intersect with that region, but at the moment
> > we're not checking this.
> >
> > At first, I thought of giving these values to drm_gpuvm_init() through its
> > reserve_{offset, range} arguments, but it turns out that is meant for VM
> > address spans that are not managed through the usual drm_gpuvm split/merge
> > circuit, so storing the end of the user VA range at VM creation time and
> > doing a quick check in the vm_bind ioctl path was the simplest workaround.
> >
> > Signed-off-by: Adrián Larumbe <[email protected]>
> > ---
> > drivers/gpu/drm/panthor/panthor_mmu.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c
> > b/drivers/gpu/drm/panthor/panthor_mmu.c
> > index 31cc57029c12..a8de4fe6b231 100644
> > --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> > +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> > @@ -310,6 +310,9 @@ struct panthor_vm {
> > u64 end;
> > } kernel_auto_va;
> >
> > + /** @user_va_end: Last VA in the address range VM users can map objects
> > against. */
> > + u64 user_va_end;
> > +
> > /** @as: Address space related fields. */
> > struct {
> > /**
> > @@ -2893,6 +2896,8 @@ panthor_vm_create(struct panthor_device *ptdev, bool
> > for_mcu,
> > va_range = full_va_range;
> > }
> >
> > + vm->user_va_end = kernel_va_start - 1;
> > +
> > mutex_init(&vm->mm_lock);
> > drm_mm_init(&vm->mm, kernel_va_start, kernel_va_size);
> > vm->kernel_auto_va.start = auto_kernel_va_start;
> > @@ -2981,6 +2986,10 @@ panthor_vm_bind_prepare_op_ctx(struct drm_file *file,
> > if (!IS_ALIGNED(op->va | op->size | op->bo_offset, vm_pgsz))
> > return -EINVAL;
> >
> > + /* We don't allow mappings that overlap with kbo's reserved range */
> > + if (op->va + op->size > vm->user_va_end)
> > + return -EINVAL;
>
> Minor issue, but this is off-by-one. If you attempt to map just the last
> page then op->va==kernel_va_start - PAGE_SIZE and op->size == PAGE_SIZE.
> But this check will reject it.
>
> I suggest removing the "- 1" from user_vm_end, which also means it
> matches the user_va_range we pass back to user space (will appropriate
> comment/name updates).
On top of that, we need an overflow check on (op->va + op->size) for sparse
mappings. At the moment panthor_vm_prepare_map_op_ctx() does bound checks
for normal bindings, but since sparse mappings aren't bounded other than the
user/lernel VA space split, we'll need a fix for that to. I'll add another
Fixes: tag and reference the relevant sparse binding support commit.
> Thanks,
> Steve
Cheers,
Adrian
