gfx: pvr: check the size of SGX_READ_HWPERF IOCTL parameters

We need to add a separate size check for this IOCTL's parameters, since
they are passed by a pointer in the IOCTL's input structure. We do check
the size for all IOCTL's input structure already, but we need to cover
such derefenced objects separately.

Increase the driver's minor version too. This will still let the current
user space libraries work, except for this IOCTL, which was broken
before anyway. A related user space library fix will be submitted to
make the IOCTL work.

Signed-off-by: Imre Deak <imre.deak@intel.com>
Tested-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

diff --git a/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h b/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h
index d9c8db9..a55a4e3 100644 (file)
--- a/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h
+++ b/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h
@@ -458,6 +458,7 @@ typedef struct PVRSRV_BRIDGE_IN_SGX_READ_HWPERF_CB_TAG
        IMG_UINT32                                      ui32BridgeFlags; 
        IMG_HANDLE                                      hDevCookie;
        IMG_UINT32                                      ui32ArraySize;
+       IMG_UINT32                      entry_size;
        PVRSRV_SGX_HWPERF_CB_ENTRY      *psHWPerfCBData;
 } PVRSRV_BRIDGE_IN_SGX_READ_HWPERF_CB;
 

diff --git a/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c b/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c
index b1d67a5..b811f09 100644 (file)
--- a/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c
+++ b/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c
@@ -788,6 +788,7 @@ SGXReadHWPerfCBBW(IMG_UINT32                                                        ui32BridgeID,
        PVRSRV_SGX_HWPERF_CB_ENTRY      *psAllocated;
        IMG_HANDLE                                      hAllocatedHandle;
        IMG_UINT32                                      ui32AllocatedSize;
+       size_t  entry_size;
 
        PVRSRV_BRIDGE_ASSERT_CMD(ui32BridgeID, PVRSRV_BRIDGE_SGX_READ_HWPERF_CB);
 
@@ -801,8 +802,11 @@ SGXReadHWPerfCBBW(IMG_UINT32                                                       ui32BridgeID,
                return 0;
        }
 
-       ui32AllocatedSize = psSGXReadHWPerfCBIN->ui32ArraySize *
-                                                       sizeof(psSGXReadHWPerfCBIN->psHWPerfCBData[0]);
+       entry_size = sizeof(psSGXReadHWPerfCBIN->psHWPerfCBData[0]);
+       if (psSGXReadHWPerfCBIN->entry_size != entry_size)
+               return -EINVAL;
+
+       ui32AllocatedSize = psSGXReadHWPerfCBIN->ui32ArraySize * entry_size;
        ASSIGN_AND_EXIT_ON_ERROR(psSGXReadHWPerfCBOUT->eError,
                            OSAllocMem(PVRSRV_OS_PAGEABLE_HEAP,
                            ui32AllocatedSize,

diff --git a/include/drm/pvr_drm.h b/include/drm/pvr_drm.h
index 7c54b7f..445cec6 100644 (file)
--- a/include/drm/pvr_drm.h
+++ b/include/drm/pvr_drm.h
@@ -2,6 +2,6 @@
 #define _PVR_DRM_H_
 
 #define PVR_ABI_VER_MAJOR      2
-#define PVR_ABI_VER_MINOR      0
+#define PVR_ABI_VER_MINOR      1
 
 #endif