[PATCH] drm/v3d: reject an invalid indirect CSD buffer handle

Next message: David Lechner (TI): "[PATCH 0/4] iio: adc: new ti-ads112c14 driver"
Previous message: Tejun Heo: "[GIT PULL] cgroup changes for v7.2"
Next in thread: Ma&#xED;ra Canal: "Re: [PATCH] drm/v3d: reject an invalid indirect CSD buffer handle"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: JaeHoon Lee

Date: Mon Jun 15 2026 - 18:01:39 EST

v3d_get_cpu_indirect_csd_params() does not check the result of
drm_gem_object_lookup(). A bogus indirect CSD handle from userspace
makes it store NULL in info->indirect; when the CPU job runs,
v3d_rewrite_csd_job_wg_counts_from_indirect() dereferences it through
v3d_get_bo_vaddr() and oopses the kernel. Any unprivileged client can
trigger this.

Reject the NULL handle with -ENOENT, as every other GEM lookup in this
driver does. v3d_cpu_job_free() drops the reference under a NULL check,
so the error path leaks nothing.

Fixes: 18b8413b25b7 ("drm/v3d: Create a CPU job extension for a indirect CSD job")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: JaeHoon Lee <dlwognsdc610@xxxxxxxxx>
---
drivers/gpu/drm/v3d/v3d_submit.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index ee2ac2540ed5..05f98379c1a4 100644
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -605,6 +605,8 @@ v3d_get_cpu_indirect_csd_params(struct drm_file *file_priv,
sizeof(indirect_csd.wg_uniform_offsets));

info->indirect = drm_gem_object_lookup(file_priv, indirect_csd.indirect);
+ if (!info->indirect)
+ return -ENOENT;

return 0;
}
--
2.43.0