Re: [PATCH] drm/v3d: reject an invalid indirect CSD buffer handle

[Maíra Canal]

Hi JaeHoon,

Duplicated patch, please check [1].

[1] 
https://lore.kernel.org/dri-devel/20260610-v3d-cpu-job-fixes-v1-0-0d9c88989edc@xxxxxxxxxx/T/#m42c7a8cf94b8cb787cca01dfbdaf5fdce40c7332

Best regards,
- Maíra

On 16/06/26 04:00, JaeHoon Lee wrote:
> v3d_get_cpu_indirect_csd_params() does not check the result of
> drm_gem_object_lookup().  A bogus indirect CSD handle from userspace
> makes it store NULL in info->indirect; when the CPU job runs,
> v3d_rewrite_csd_job_wg_counts_from_indirect() dereferences it through
> v3d_get_bo_vaddr() and oopses the kernel.  Any unprivileged client can
> trigger this.
>
> Reject the NULL handle with -ENOENT, as every other GEM lookup in this
> driver does.  v3d_cpu_job_free() drops the reference under a NULL check,
> so the error path leaks nothing.
>
> Fixes: 18b8413b25b7 ("drm/v3d: Create a CPU job extension for a indirect CSD job")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: JaeHoon Lee <dlwognsdc610@xxxxxxxxx>
> ---
>   drivers/gpu/drm/v3d/v3d_submit.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
> index ee2ac2540ed5..05f98379c1a4 100644
> --- a/drivers/gpu/drm/v3d/v3d_submit.c
> +++ b/drivers/gpu/drm/v3d/v3d_submit.c
> @@ -605,6 +605,8 @@ v3d_get_cpu_indirect_csd_params(struct drm_file *file_priv,
>   	       sizeof(indirect_csd.wg_uniform_offsets));
>   
>   	info->indirect = drm_gem_object_lookup(file_priv, indirect_csd.indirect);
> +	if (!info->indirect)
> +		return -ENOENT;
>   
>   	return 0;
>   }