tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/v3d: Validate passed in drm syncobj handles in the timestamp extension

If userspace provides an unknown or invalid handle anywhere in the handle
array the rest of the driver will not handle that well.

Fix it by checking handle was looked up successfully or otherwise fail the
extension by jumping into the existing unwind.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job")
Cc: Maíra Canal <mcanal@igalia.com>
Cc: Iago Toral Quiroga <itoral@igalia.com>
Cc: stable@vger.kernel.org # v6.8+
Reviewed-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-5-tursulin@igalia.com

authored by

Tvrtko Ursulin and committed by
Maíra Canal 8d1276d1 484de39f

+12
+12
drivers/gpu/drm/v3d/v3d_submit.c
··· 498 498 } 499 499 500 500 job->timestamp_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync); 501 + if (!job->timestamp_query.queries[i].syncobj) { 502 + err = -ENOENT; 503 + goto error; 504 + } 501 505 } 502 506 job->timestamp_query.count = timestamp.count; 503 507 ··· 556 552 } 557 553 558 554 job->timestamp_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync); 555 + if (!job->timestamp_query.queries[i].syncobj) { 556 + err = -ENOENT; 557 + goto error; 558 + } 559 559 } 560 560 job->timestamp_query.count = reset.count; 561 561 ··· 624 616 } 625 617 626 618 job->timestamp_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync); 619 + if (!job->timestamp_query.queries[i].syncobj) { 620 + err = -ENOENT; 621 + goto error; 622 + } 627 623 } 628 624 job->timestamp_query.count = copy.count; 629 625