drm/amdgpu: avoid integer overflow in VA range check

The original addition operation in 64-bit unsigned type may encounter overflow situations. To prevent such issues and safely reject invalid inputs, the check_add_overflow() function is used. Signed-off-by: Ce Sun <cesun102@amd.com> Reviewed-by: Tao Zhou <tao.zhou1@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
author: Ce Sun <cesun102@amd.com> 2026-05-11 18:04:57 +0800
committer: Alex Deucher <alexander.deucher@amd.com> 2026-05-19 11:45:42 -0400
commit: cc768f4dd0bb9083c813683eeec44fc23921f771 (patch)
tree: 2d44592565197b30375ec25ff905327072c893d2
parent: 911b1bdd22c3712a22b60fcc58f7b9f2d07b0803 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index c1bd4d475af4..27be5083f2af 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -826,7 +826,7 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
 	struct drm_syncobj *timeline_syncobj = NULL;
 	struct dma_fence_chain *timeline_chain = NULL;
 	struct drm_exec exec;
-	uint64_t vm_size;
+	uint64_t vm_size, tmp;
 	int r = 0;
 
 	/* Validate virtual address range against reserved regions. */
@@ -850,7 +850,7 @@ int amdgpu_gem_va_ioctl(struct drm_device *dev, void *data,
 
 	vm_size = adev->vm_manager.max_pfn * AMDGPU_GPU_PAGE_SIZE;
 	vm_size -= AMDGPU_VA_RESERVED_TOP;
-	if (args->va_address + args->map_size > vm_size) {
+	if (check_add_overflow(args->va_address, args->map_size, &tmp) || tmp > vm_size) {
 		dev_dbg(dev->dev,
 			"va_address 0x%llx is in top reserved area 0x%llx\n",
 			args->va_address + args->map_size, vm_size);
author	Ce Sun <cesun102@amd.com>	2026-05-11 18:04:57 +0800
committer	Alex Deucher <alexander.deucher@amd.com>	2026-05-19 11:45:42 -0400
commit	cc768f4dd0bb9083c813683eeec44fc23921f771 (patch)
tree	2d44592565197b30375ec25ff905327072c893d2
parent	911b1bdd22c3712a22b60fcc58f7b9f2d07b0803 (diff)