[PATCH 0/2] drm/v3d: bound CPU-job copy-query writes to the destination BO

Next message: Nilay Shroff: "[PATCHv2 06/17] nvme: add Clang context annotations for nvme_dev::shutdown_lock"
Previous message: Michael Bommarito: "[PATCH 6/6] media: v4l2-ctrls: add KUnit tests for compound control tile validation"
Next in thread: Michael Bommarito: "[PATCH 1/2] drm/v3d: validate copy-query buffer bounds against destination BO size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Sun Jun 14 2026 - 09:15:27 EST

The V3D_SUBMIT_CPU COPY_TIMESTAMP_QUERY and COPY_PERFORMANCE_QUERY
extensions take a destination offset, per-query stride and query count
from userspace and consume them at job exec without checking the write
extent against the destination BO. A render-node user (DRM_RENDER_ALLOW,
no master, no capability) can drive a controlled-offset out-of-bounds
write past the BO's vmap mapping; the timestamp variant also reads each
result from an unchecked offset into the second BO.

Patch 1 validates the full write extent against the BO size before the
job is queued, using check_*_overflow() so a u32 product cannot wrap.
Patch 2 adds a KUnit reproducer the maintainer may take or drop.

Reproduced under KASAN via the KUnit over a shmem-backed BO: the trigger
faults on stock and is rejected at submit on patched; two in-bounds
controls pass on both.

Michael Bommarito (2):
drm/v3d: validate copy-query buffer bounds against destination BO size
drm/v3d: add KUnit reproducer for the copy-query out-of-bounds write

drivers/gpu/drm/v3d/Kconfig | 10 ++
drivers/gpu/drm/v3d/v3d_copy_query_kunit.c | 172 +++++++++++++++++++++
drivers/gpu/drm/v3d/v3d_drv.h | 3 +
drivers/gpu/drm/v3d/v3d_sched.c | 4 +
drivers/gpu/drm/v3d/v3d_submit.c | 86 +++++++++++
5 files changed, 275 insertions(+)
create mode 100644 drivers/gpu/drm/v3d/v3d_copy_query_kunit.c

base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
--
2.53.0