The V3D_SUBMIT_CPU COPY_TIMESTAMP_QUERY and COPY_PERFORMANCE_QUERY extensions take a destination offset, per-query stride and query count from userspace and consume them at job exec without checking the write extent against the destination BO. A render-node user (DRM_RENDER_ALLOW, no master, no capability) can drive a controlled-offset out-of-bounds write past the BO's vmap mapping; the timestamp variant also reads each result from an unchecked offset into the second BO.
Patch 1 validates the full write extent against the BO size before the job is queued, using check_*_overflow() so a u32 product cannot wrap. Patch 2 adds a KUnit reproducer the maintainer may take or drop. Reproduced under KASAN via the KUnit over a shmem-backed BO: the trigger faults on stock and is rejected at submit on patched; two in-bounds controls pass on both. Michael Bommarito (2): drm/v3d: validate copy-query buffer bounds against destination BO size drm/v3d: add KUnit reproducer for the copy-query out-of-bounds write drivers/gpu/drm/v3d/Kconfig | 10 ++ drivers/gpu/drm/v3d/v3d_copy_query_kunit.c | 172 +++++++++++++++++++++ drivers/gpu/drm/v3d/v3d_drv.h | 3 + drivers/gpu/drm/v3d/v3d_sched.c | 4 + drivers/gpu/drm/v3d/v3d_submit.c | 86 +++++++++++ 5 files changed, 275 insertions(+) create mode 100644 drivers/gpu/drm/v3d/v3d_copy_query_kunit.c base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8 -- 2.53.0
