dri-devel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Maíra Canal" <mcanal@igalia.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v3 3/3] drm/v3d: Use write_to_buffer() helper in performance query copy
Date: Fri, 03 Jul 2026 15:43:48 +0000	[thread overview]
Message-ID: <20260703154349.5FE3C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-v3d-cpu-job-fixes-v3-3-bc51b1f3eeb5@igalia.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] The V3D CPU job execution functions do not validate userspace-provided offsets, strides, and query counts against the GEM buffer size, allowing trivial out-of-bounds kernel memory reads and writes.
--

commit bccb8e9eddf193e4beeaa67eb00038b0dc9bc030
Author: Maíra Canal <mcanal@igalia.com>

drm/v3d: Use write_to_buffer() helper in performance query copy

This commit updates the performance query result copy logic to use the
write_to_buffer() helper. This replaces the open-coded 32-bit and 64-bit
selection loops with a single simplified loop.

> diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
> index e950cee31bcba..21ab9cd836856 100644
> --- a/drivers/gpu/drm/v3d/v3d_sched.c
> +++ b/drivers/gpu/drm/v3d/v3d_sched.c
> @@ -605,15 +605,8 @@ v3d_write_performance_query_result(struct v3d_cpu_job *job, void *data,
>  
>  		v3d_perfmon_stop(v3d, perfmon, true);
>  
> -		if (job->copy.do_64bit) {
> -			for (j = 0; j < perfmon->ncounters; j++)
> -				write_to_buffer_64(data, offset + j,
> -						   perfmon->values[j]);
> -		} else {
> -			for (j = 0; j < perfmon->ncounters; j++)
> -				write_to_buffer_32(data, offset + j,
> -						   perfmon->values[j]);
> -		}
> +		for (j = 0; j < perfmon->ncounters; j++)
> +			write_to_buffer(data, offset + j, job->copy.do_64bit, perfmon->values[j]);

[Severity: High]
This is a pre-existing issue, but does this code properly validate the bounds
of the destination buffer before writing?

Looking at v3d_write_performance_query_result() and the surrounding job
execution functions like v3d_copy_performance_query(), it appears the offset,
stride, and count values provided by userspace are used without being checked
against the GEM object size.

For example, when calculating the initial data pointer and incrementing it:

    data = ((u8 *)bo->vaddr) + copy->offset;
    for (int i = 0; i < performance_query->count; i++) {
        // ...
        data += copy->stride;
    }

The same pattern seems to exist in v3d_copy_query_results() for timestamp
queries:

    data = ((u8 *)bo->vaddr) + copy->offset;

Since these userspace-provided parameters are added directly to the buffer's
kernel virtual address, could this allow an out-of-bounds memory access if
large offset, stride, or count parameters are passed via the CPU job ioctl?

>  
>  		v3d_perfmon_put(perfmon);
>  	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-v3d-cpu-job-fixes-v3-0-bc51b1f3eeb5@igalia.com?part=3

      reply	other threads:[~2026-07-03 15:43 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 15:33 [PATCH v3 0/3] drm/v3d: Miscellaneous fixes Maíra Canal
2026-07-03 15:33 ` [PATCH v3 1/3] drm/v3d: Associate BOs with every job that accesses them Maíra Canal
2026-07-03 15:54   ` sashiko-bot
2026-07-03 15:33 ` [PATCH v3 2/3] drm/v3d: Reject invalid indirect BO handle in indirect CSD setup Maíra Canal
2026-07-03 15:49   ` sashiko-bot
2026-07-03 15:33 ` [PATCH v3 3/3] drm/v3d: Use write_to_buffer() helper in performance query copy Maíra Canal
2026-07-03 15:43   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703154349.5FE3C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=mcanal@igalia.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox