All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] accel/ivpu: Add buffer overflow check in MS get_info_ioctl
@ 2026-05-29 12:08 Andrzej Kacprowski
  2026-05-29 12:23 ` Wachowski, Karol
  0 siblings, 1 reply; 3+ messages in thread
From: Andrzej Kacprowski @ 2026-05-29 12:08 UTC (permalink / raw)
  To: dri-devel
  Cc: oded.gabbay, jeff.hugo, lizhi.hou, karol.wachowski,
	dawid.osuchowski, Andrzej Kacprowski, stable

Add validation that the info size returned from the metric stream info
query is not exceeded when checked against the allocated buffer size.
If the firmware returns a size larger than the buffer, reject the
operation with -EOVERFLOW instead of proceeding with an incorrect
buffer copy.

Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
Cc: <stable@vger.kernel.org> # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
---
 drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c
index be43851f5f32..cd176e77b9a0 100644
--- a/drivers/accel/ivpu/ivpu_ms.c
+++ b/drivers/accel/ivpu/ivpu_ms.c
@@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_device *dev, void *data, struct drm_file *
 	if (ret)
 		goto unlock;
 
+	if (info_size > ivpu_bo_size(bo)) {
+		ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
+				      info_size, ivpu_bo_size(bo));
+		ret = -EOVERFLOW;
+		goto unlock;
+	}
+
 	if (args->buffer_size < info_size) {
 		ret = -ENOSPC;
 		goto unlock;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] accel/ivpu: Add buffer overflow check in MS get_info_ioctl
  2026-05-29 12:08 [PATCH] accel/ivpu: Add buffer overflow check in MS get_info_ioctl Andrzej Kacprowski
@ 2026-05-29 12:23 ` Wachowski, Karol
  2026-06-02  5:49   ` Wachowski, Karol
  0 siblings, 1 reply; 3+ messages in thread
From: Wachowski, Karol @ 2026-05-29 12:23 UTC (permalink / raw)
  To: Andrzej Kacprowski, dri-devel
  Cc: oded.gabbay, jeff.hugo, lizhi.hou, dawid.osuchowski, stable

On 29-May-26 14:08, Andrzej Kacprowski wrote:
> Add validation that the info size returned from the metric stream info
> query is not exceeded when checked against the allocated buffer size.
> If the firmware returns a size larger than the buffer, reject the
> operation with -EOVERFLOW instead of proceeding with an incorrect
> buffer copy.
> 
> Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
> Cc: <stable@vger.kernel.org> # v6.18+
> Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>

Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>

> ---
>   drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c
> index be43851f5f32..cd176e77b9a0 100644
> --- a/drivers/accel/ivpu/ivpu_ms.c
> +++ b/drivers/accel/ivpu/ivpu_ms.c
> @@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_device *dev, void *data, struct drm_file *
>   	if (ret)
>   		goto unlock;
>   
> +	if (info_size > ivpu_bo_size(bo)) {
> +		ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
> +				      info_size, ivpu_bo_size(bo));
> +		ret = -EOVERFLOW;
> +		goto unlock;
> +	}
> +
>   	if (args->buffer_size < info_size) {
>   		ret = -ENOSPC;
>   		goto unlock;


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] accel/ivpu: Add buffer overflow check in MS get_info_ioctl
  2026-05-29 12:23 ` Wachowski, Karol
@ 2026-06-02  5:49   ` Wachowski, Karol
  0 siblings, 0 replies; 3+ messages in thread
From: Wachowski, Karol @ 2026-06-02  5:49 UTC (permalink / raw)
  To: Andrzej Kacprowski, dri-devel
  Cc: oded.gabbay, jeff.hugo, lizhi.hou, dawid.osuchowski, stable

On 29-May-26 14:23, Wachowski, Karol wrote:
> On 29-May-26 14:08, Andrzej Kacprowski wrote:
>> Add validation that the info size returned from the metric stream info
>> query is not exceeded when checked against the allocated buffer size.
>> If the firmware returns a size larger than the buffer, reject the
>> operation with -EOVERFLOW instead of proceeding with an incorrect
>> buffer copy.
>>
>> Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
>> Cc: <stable@vger.kernel.org> # v6.18+
>> Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
> 
> Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>

Applied to drm-misc-fixes.

> 
>> ---
>>   drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c
>> index be43851f5f32..cd176e77b9a0 100644
>> --- a/drivers/accel/ivpu/ivpu_ms.c
>> +++ b/drivers/accel/ivpu/ivpu_ms.c
>> @@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_device 
>> *dev, void *data, struct drm_file *
>>       if (ret)
>>           goto unlock;
>> +    if (info_size > ivpu_bo_size(bo)) {
>> +        ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
>> +                      info_size, ivpu_bo_size(bo));
>> +        ret = -EOVERFLOW;
>> +        goto unlock;
>> +    }
>> +
>>       if (args->buffer_size < info_size) {
>>           ret = -ENOSPC;
>>           goto unlock;
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-02  5:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-29 12:08 [PATCH] accel/ivpu: Add buffer overflow check in MS get_info_ioctl Andrzej Kacprowski
2026-05-29 12:23 ` Wachowski, Karol
2026-06-02  5:49   ` Wachowski, Karol

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.