From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BD5F3793BB for ; Wed, 1 Jul 2026 18:44:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782931476; cv=none; b=T+zwIS8erx44xlf7QmbdbP0HB+TPFFQHq9oUoAQGBhWG3O658V/nvn3cOq/EFSNjPqDitWeLq+fCAbHjlRwcbDQu+21C+Hh5eUOH5hIUA6yLex124z+DtOgr6k+pHPS9oqTq+l4awBDwEc6fP7nlQ5lySo1SCQMh+LjftUIXGrU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782931476; c=relaxed/simple; bh=/acg9/ZV4XQhN1wNrm7pTsDWmwMqd50DhwanU/SMjU0=; h=Message-ID:Date:From:To:Cc:Subject:MIME-Version:Content-Type; b=UTN9umVLehRlgPtb+HgCWgQdCRYw0zDjADf8ag9ePv3V/cn4nhdKiq6TPNLBx83k7NSWGVfbUQNUZMo+RcfYVTphFOqsAs8xwMDMUabtrp/4NSOBkD1XLH4lbXpSHUt+w0i5Xk6sUuRqVraj/g/LYxrUTC8jESRUODXTWyn+NaQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gPoUMhYP; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gPoUMhYP" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-37e1607f7faso661202a91.1 for ; Wed, 01 Jul 2026 11:44:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782931475; x=1783536275; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:cc:to:from:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=ban9nVUuk4Kjsoscd1xTKmaJVwsIyHeDMlfeDJiaGMA=; b=gPoUMhYP6pIC033r6Jk4W7GjjjmbFsOdlllM4gbtfIURJbVBUpuS7qmKt8KtWUw6bX 34zeaBvmYJvqRgXpzfhcs1bxrQtdNxOoDr0+lrGP74hyiiIbK51YpThNYibs7zCyU1Xu +qiLCTrATAIt+C0q6q7ioZ1uqDdtraTtCapQ9WzzKj83Ad7f2hYOflF1EN4jdstySvZb Kno3jzBFYvMQaUI8+ciRCkT6D9+UY3qKe+5EPqBd2y+ooMjz0MOQVSa0AY5aHWIMyMcK kw781Cna44o18e5KHB/fMFDAZHlM6fd1UzBwToHNe/UU6EsTXgADtSFhvAl6J8+RPolK MHmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782931475; x=1783536275; h=content-transfer-encoding:mime-version:subject:cc:to:from:date :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ban9nVUuk4Kjsoscd1xTKmaJVwsIyHeDMlfeDJiaGMA=; b=lMrEgghhEpQttQEgCMg7roV8uF01b1Uvp+vJ4Gud/lougLgZT4LcHbF8OjlF6IwAiK pek/91IwQwx4uwbCmm/FlwGlU8TGjCfAbBizPSZx6Yf0tQBSh5NlXo6i1wzvDlrX3rI3 Rb949bbTSWWaNx6fNs/U2yuH3sj2ULg1DojQw/MB75cnJGJT1FLyye5rBykV2Vou/AaD NupMwv3o7203eqL7qp+TJJRE8C6qS2Hi/gkmubyWgVj2XxGG3glBtjslospjVj+atKvF BPoI3f1rRS0DIMG/oFlyUB/nLX0KchTEqlfWkigDrbyvFYUK32rAaEvlIdqT78/0I+Yh bE4Q== X-Forwarded-Encrypted: i=1; AHgh+RpQgNi/7dZv5A+gkkahGMkfNhtatggAwJy3kqtP3ZuedFTa7yIyMGPbsxk41IHeYpPddA7k6BKl62QRlhE=@vger.kernel.org X-Gm-Message-State: AOJu0Yy1yWjzF9dBENQWbFfKMrXzRzi3gVic58qaSDR5ZQUvdAxaRBG2 yNpQcgoJKunD6/xvBKPZxC7Hp0ny1jSVxhIV2CuK/JebWyQY755xXHUs X-Gm-Gg: AfdE7clfJdla11sMaZ+iCOIoMsuip0FYAgwu96Ccm3I7JTrN/8sEjRBUQXaR9ZLK96r yVEVBrfVjkX8dsscbkrlnZun9bTwEvnrS5I01YLKGhFaBgaPzoVkmZv0FvN03y2gGZgcScQFFlP J7Dl0Sfpcp/OyALPwKb87Ssvch4T3vRxZhQHkSchBzXCQ26tRxsj6KkAZoOO32dc3WBbQKGHUof iR9EKFSRpWgTZDSnz9GqdSTUqHPK+v0SckGUN1TIcZzDBhCmhUu5HVd0uVe7Fi7uvosanY7dIt3 VH89G+IND30NkwIk9SPdAI2RFtSNEHghRYKLnI/Nd5tJMwcBwS2Dp3e2FktVusGDXNoMJjZNo7+ NjxHcSI/RVsdSTXw0tFJ6NojSZHDnwOOi9KMoznBA2wrpaV2+rGRG1954KmBaII+XuFZsWE+nns 9efsnoilbIsDKk3rAenjrwRd7oSJcR+OKqbsy6CIn0COoHQgYfuhgTDJ1npwypb3/hvKbnW++W5 rR8bkLAJ53TF2sCAUV4gsOaagezYUzqtOopcxk53dYB4f9OHVE/BPvLH3z/j1xWLEZ2E3liUbMu VCRHkVCTVw== X-Received: by 2002:a17:90a:d647:b0:369:a359:b181 with SMTP id 98e67ed59e1d1-380aa221bf1mr2580207a91.23.1782931474540; Wed, 01 Jul 2026 11:44:34 -0700 (PDT) Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa ([2407:1400:aa40:6780:6462:8b0c:2576:642b]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30f0bb843fasm393406eec.18.2026.07.01.11.44.29 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 01 Jul 2026 11:44:34 -0700 (PDT) Message-ID: <6a456012.eb165e5c.113c2a.b71d@mx.google.com> Date: Wed, 01 Jul 2026 11:44:34 -0700 (PDT) From: Shuvam Pandey To: Frank Binns , Matt Coster Cc: Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Donald Robson , Sarah Walker , Alessio Belle , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2] drm/imagination: Fix user array stride in pvr_set_uobj_array() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pvr_set_uobj_array() copies an array of kernel objects to a userspace array whose element size is described by out->stride. When out->stride is different from the kernel object size, the slow path advances the userspace pointer by the kernel object size and the kernel pointer by the userspace stride. This reverses the intended layout. For larger userspace strides, later copies read from the wrong kernel addresses. For smaller userspace strides, later copies are written at the wrong userspace offsets. The padding clear is also done only for the first element instead of the padding area for each element. Advance the userspace pointer by out->stride and the kernel pointer by obj_size, and clear per-element padding while the current userspace pointer is still available. Fixes: f99f5f3ea7ef ("drm/imagination: Add GPU ID parsing and firmware loading") Cc: stable@vger.kernel.org # v6.8+ Reviewed-by: Alessio Belle Signed-off-by: Shuvam Pandey --- v2: - Fix From header to include name and email. - Add Alessio's Reviewed-by tag. drivers/gpu/drm/imagination/pvr_drv.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/imagination/pvr_drv.c b/drivers/gpu/drm/imagination/pvr_drv.c index 268900464ab6..0a68a9c32361 100644 --- a/drivers/gpu/drm/imagination/pvr_drv.c +++ b/drivers/gpu/drm/imagination/pvr_drv.c @@ -1252,14 +1252,13 @@ pvr_set_uobj_array(const struct drm_pvr_obj_array *out, u32 min_stride, u32 obj_ if (copy_to_user(out_ptr, in_ptr, cpy_elem_size)) return -EFAULT; - out_ptr += obj_size; - in_ptr += out->stride; - } + if (out->stride > obj_size && + clear_user(out_ptr + cpy_elem_size, out->stride - obj_size)) { + return -EFAULT; + } - if (out->stride > obj_size && - clear_user(u64_to_user_ptr(out->array + obj_size), - out->stride - obj_size)) { - return -EFAULT; + out_ptr += out->stride; + in_ptr += obj_size; } } -- 2.34.1