drm/amdgpu: avoid integer overflow in VA range check

The original addition operation in 64-bit unsigned type may encounter
overflow situations. To prevent such issues and safely reject invalid
inputs, the check_add_overflow() function is used.

Signed-off-by: Ce Sun <cesun102@amd.com>
Reviewed-by: Tao Zhou <tao.zhou1@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit cc768f4dd0bb9083c813683eeec44fc23921f771)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index 23f2304ee7e091f2cd751c34c1873ff93b9985ea..123d4a09114dfbb74b0556c03e33d3224b3f912a 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -825,7 +825,7 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
        struct drm_syncobj *timeline_syncobj = NULL;
        struct dma_fence_chain *timeline_chain = NULL;
        struct drm_exec exec;
-       uint64_t vm_size;
+       uint64_t vm_size, tmp;
        int r = 0;
 
        /* Validate virtual address range against reserved regions. */
@@ -849,7 +849,7 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
 
        vm_size = adev->vm_manager.max_pfn * AMDGPU_GPU_PAGE_SIZE;
        vm_size -= AMDGPU_VA_RESERVED_TOP;
-       if (args->va_address + args->map_size > vm_size) {
+       if (check_add_overflow(args->va_address, args->map_size, &tmp) || tmp > vm_size) {
                dev_dbg(dev->dev,
                        "va_address 0x%llx is in top reserved area 0x%llx\n",
                        args->va_address + args->map_size, vm_size);