From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7941236AB7C for ; Fri, 29 May 2026 12:23:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.20 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057434; cv=none; b=B2f6SvIPHpaF8WC4R9SXQH/1rt0PEP7e9mUpZUwallT/EvdIMnLrHCbIiSTBeri8VEfjNyqREacNZsBFLK8T2UpFAxXuhPtD5ARYQR7SqsiNYthLnmDEc+3x3E0B+zXN29FjZ/hBQ48H6SXJc1r+LQJhf8UfreLYXUI4r5QR9/s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057434; c=relaxed/simple; bh=fDrEew63oKedZYzWJjWxYyWisAICIOrMMrTYw4gEUeA=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=PQtGHo75EbyZmllvuqPp6bzBjJyer5vX4wNe83aiaYSJ5XGsS7Wq3B5OGZXoxrRMFLb7ewrPZhQDuEzigv3EBMSmdtl4GNYs6w6ndapB12m06Qjw3EbnD1B5GJi+dgZfunuRhNk36KIw5igVQpUyyYy5N4usIaY1glf5EtHccTI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Qwh7z1YN; arc=none smtp.client-ip=198.175.65.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Qwh7z1YN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1780057432; x=1811593432; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=fDrEew63oKedZYzWJjWxYyWisAICIOrMMrTYw4gEUeA=; b=Qwh7z1YNoe1iZBCyxSBpBeZ3UC3SAzSmMGM+oom0X1TI1vCYVU5BgQG+ cwwkBAtJiUd91LfDxtQ4t/dTi5B8XxF6IFqtFVgBHZkmo+EsoiD3JIV9J C0nUbMX4P844ckviVZnuBr/vF9z8fwWPke8udLoWeXOufa7dFwQoqkQCB Mhm/nuCaWQ12cIruic0uAChkCniud2H5XNIFDlV1CaskiHjd34JYe50yY JSeYMbP/G1hFJTHhR0+V8Cq1IVY7AUikp4mcVp5pzg3c5Os8t2ymnJCP3 m3sWuufoBb1OHGg/CuD/Sfh1YBLdIGtDWUWHGTqQlecnB8VCXmn+rL5Jh w==; X-CSE-ConnectionGUID: nJzgD7r0Q8a4fz3FODKIxg== X-CSE-MsgGUID: G+LlJc4fTCOkm9ZFNy8BCg== X-IronPort-AV: E=McAfee;i="6800,10657,11800"; a="80634668" X-IronPort-AV: E=Sophos;i="6.24,175,1774335600"; d="scan'208";a="80634668" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by orvoesa112.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 May 2026 05:23:49 -0700 X-CSE-ConnectionGUID: pZLvH75iQ/Kj7tE+ncKrRA== X-CSE-MsgGUID: Al7sdM+RTQ2Zjc7FpR6YAQ== X-ExtLoop1: 1 Received: from mgoluns-desk.ger.corp.intel.com (HELO [10.245.80.25]) ([10.245.80.25]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 May 2026 05:23:47 -0700 Message-ID: <8cd98877-6535-4ca4-8c96-88c136a2dac1@linux.intel.com> Date: Fri, 29 May 2026 14:23:44 +0200 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] accel/ivpu: Add buffer overflow check in MS get_info_ioctl To: Andrzej Kacprowski , dri-devel@lists.freedesktop.org Cc: oded.gabbay@gmail.com, jeff.hugo@oss.qualcomm.com, lizhi.hou@amd.com, dawid.osuchowski@linux.intel.com, stable@vger.kernel.org References: <20260529120841.135852-1-andrzej.kacprowski@linux.intel.com> Content-Language: en-US From: "Wachowski, Karol" In-Reply-To: <20260529120841.135852-1-andrzej.kacprowski@linux.intel.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 29-May-26 14:08, Andrzej Kacprowski wrote: > Add validation that the info size returned from the metric stream info > query is not exceeded when checked against the allocated buffer size. > If the firmware returns a size larger than the buffer, reject the > operation with -EOVERFLOW instead of proceeding with an incorrect > buffer copy. > > Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") > Cc: # v6.18+ > Signed-off-by: Andrzej Kacprowski Reviewed-by: Karol Wachowski > --- > drivers/accel/ivpu/ivpu_ms.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c > index be43851f5f32..cd176e77b9a0 100644 > --- a/drivers/accel/ivpu/ivpu_ms.c > +++ b/drivers/accel/ivpu/ivpu_ms.c > @@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_device *dev, void *data, struct drm_file * > if (ret) > goto unlock; > > + if (info_size > ivpu_bo_size(bo)) { > + ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n", > + info_size, ivpu_bo_size(bo)); > + ret = -EOVERFLOW; > + goto unlock; > + } > + > if (args->buffer_size < info_size) { > ret = -ENOSPC; > goto unlock;