drm/v3d: Prevent out of bounds access in performance query extensions

Check that the number of perfmons userspace is passing in the copy and
reset extensions is not greater than the internal kernel storage where
the ids will be copied into.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job")
Cc: Maíra Canal <mcanal@igalia.com>
Cc: Iago Toral Quiroga <itoral@igalia.com>
Cc: stable@vger.kernel.org # v6.8+
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Reviewed-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-2-tursulin@igalia.com

diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index 88f63d526b22365b42b90e90d5b451a56e3fda52..263fefc1d04ff7ce0c1de849085d667dc3fc43ad 100644 (file)
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -637,6 +637,9 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
        if (copy_from_user(&reset, ext, sizeof(reset)))
                return -EFAULT;
 
+       if (reset.nperfmons > V3D_MAX_PERFMONS)
+               return -EINVAL;
+
        job->job_type = V3D_CPU_JOB_TYPE_RESET_PERFORMANCE_QUERY;
 
        job->performance_query.queries = kvmalloc_array(reset.count,
@@ -708,6 +711,9 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
        if (copy.pad)
                return -EINVAL;
 
+       if (copy.nperfmons > V3D_MAX_PERFMONS)
+               return -EINVAL;
+
        job->job_type = V3D_CPU_JOB_TYPE_COPY_PERFORMANCE_QUERY;
 
        job->performance_query.queries = kvmalloc_array(copy.count,