drm/v3d: Prevent out of bounds access in performance query extensions

[Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxx>]

From: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxx>

commit 6ce9efd12ae81cf46bf44eb0348594558dfbb9d2 upstream.

Check that the number of perfmons userspace is passing in the copy and
reset extensions is not greater than the internal kernel storage where
the ids will be copied into.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxx>
Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job")
Cc: Maíra Canal <mcanal@xxxxxxxxxx>
Cc: Iago Toral Quiroga <itoral@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # v6.8+
Reviewed-by: Iago Toral Quiroga <itoral@xxxxxxxxxx>
Reviewed-by: Maíra Canal <mcanal@xxxxxxxxxx>
Signed-off-by: Maíra Canal <mcanal@xxxxxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-2-tursulin@xxxxxxxxxx
(cherry picked from commit f32b5128d2c440368b5bf3a7a356823e235caabb)
Signed-off-by: Thomas Zimmermann <tzimmermann@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/gpu/drm/v3d/v3d_submit.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -637,6 +637,9 @@ v3d_get_cpu_reset_performance_params(str
 	if (copy_from_user(&reset, ext, sizeof(reset)))
 		return -EFAULT;
 
+	if (reset.nperfmons > V3D_MAX_PERFMONS)
+		return -EINVAL;
+
 	job->job_type = V3D_CPU_JOB_TYPE_RESET_PERFORMANCE_QUERY;
 
 	job->performance_query.queries = kvmalloc_array(reset.count,
@@ -708,6 +711,9 @@ v3d_get_cpu_copy_performance_query_param
 	if (copy.pad)
 		return -EINVAL;
 
+	if (copy.nperfmons > V3D_MAX_PERFMONS)
+		return -EINVAL;
+
 	job->job_type = V3D_CPU_JOB_TYPE_COPY_PERFORMANCE_QUERY;
 
 	job->performance_query.queries = kvmalloc_array(copy.count,


Patches currently in stable-queue which might be from tvrtko.ursulin@xxxxxxxxxx are

queue-6.10/drm-v3d-validate-passed-in-drm-syncobj-handles-in-the-performance-extension.patch
queue-6.10/drm-v3d-prevent-out-of-bounds-access-in-performance-query-extensions.patch
queue-6.10/drm-v3d-validate-passed-in-drm-syncobj-handles-in-the-timestamp-extension.patch
queue-6.10/drm-v3d-fix-potential-memory-leak-in-the-timestamp-extension.patch
queue-6.10/drm-v3d-fix-potential-memory-leak-in-the-performance-extension.patch