diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index f6b224a69b3ab45329f699aed08d92b40d9987c6..f09b2cba40ca505649decf23a27b60850b62407a 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -564,21 +564,33 @@ static int amdgpu_cs_ib_fill(struct amdgpu_device *adev, return r; if (ring->funcs->parse_cs) { + struct amdgpu_bo_va_mapping *m; struct amdgpu_bo *aobj = NULL; - void *kptr; + uint64_t offset; + uint8_t *kptr; - amdgpu_cs_find_mapping(parser, chunk_ib->va_start, &aobj); + m = amdgpu_cs_find_mapping(parser, chunk_ib->va_start, + &aobj); if (!aobj) { DRM_ERROR("IB va_start is invalid\n"); return -EINVAL; } + if ((chunk_ib->va_start + chunk_ib->ib_bytes) > + (m->it.last + 1) * AMDGPU_GPU_PAGE_SIZE) { + DRM_ERROR("IB va_start+ib_bytes is invalid\n"); + return -EINVAL; + } + /* the IB should be reserved at this point */ - r = amdgpu_bo_kmap(aobj, &kptr); + r = amdgpu_bo_kmap(aobj, (void **)&kptr); if (r) { return r; } + offset = ((uint64_t)m->it.start) * AMDGPU_GPU_PAGE_SIZE; + kptr += chunk_ib->va_start - offset; + r = amdgpu_ib_get(ring, NULL, chunk_ib->ib_bytes, ib); if (r) { DRM_ERROR("Failed to get ib !\n");