drm/v3d: Prevent out of bounds access in performance query extensions

Check that the number of perfmons userspace is passing in the copy and
reset extensions is not greater than the internal kernel storage where
the ids will be copied into.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job")
Cc: Maíra Canal <mcanal@igalia.com>
Cc: Iago Toral Quiroga <itoral@igalia.com>
Cc: stable@vger.kernel.org # v6.8+
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Reviewed-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-2-tursulin@igalia.com
(cherry picked from commit f32b5128d2c440368b5bf3a7a356823e235caabb)
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>

diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index 88f63d5..263fefc 100644 (file)
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -637,6 +637,9 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
        if (copy_from_user(&reset, ext, sizeof(reset)))
                return -EFAULT;
 
+       if (reset.nperfmons > V3D_MAX_PERFMONS)
+               return -EINVAL;
+
        job->job_type = V3D_CPU_JOB_TYPE_RESET_PERFORMANCE_QUERY;
 
        job->performance_query.queries = kvmalloc_array(reset.count,
@@ -708,6 +711,9 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
        if (copy.pad)
                return -EINVAL;
 
+       if (copy.nperfmons > V3D_MAX_PERFMONS)
+               return -EINVAL;
+
        job->job_type = V3D_CPU_JOB_TYPE_COPY_PERFORMANCE_QUERY;
 
        job->performance_query.queries = kvmalloc_array(copy.count,