From 65c9dbd24404846a8740643da07a367dde3dc1ae Mon Sep 17 00:00:00 2001
From: Imre Deak <imre.deak@intel.com>
Date: Fri, 27 Jan 2012 18:27:32 +0200
Subject: [PATCH] gfx: pvr: check the size of SGX_READ_HWPERF IOCTL parameters

We need to add a separate size check for this IOCTL's parameters, since
they are passed by a pointer in the IOCTL's input structure. We do check
the size for all IOCTL's input structure already, but we need to cover
such derefenced objects separately.

Increase the driver's minor version too. This will still let the current
user space libraries work, except for this IOCTL, which was broken
before anyway. A related user space library fix will be submitted to
make the IOCTL work.

Signed-off-by: Imre Deak <imre.deak@intel.com>
Tested-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 drivers/staging/mrst/pvr/services4/include/sgx_bridge.h           | 1 +
 .../mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c     | 8 ++++++--
 include/drm/pvr_drm.h                                             | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h b/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h
index d9c8db9..a55a4e3 100644
--- a/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h
+++ b/drivers/staging/mrst/pvr/services4/include/sgx_bridge.h
@@ -458,6 +458,7 @@ typedef struct PVRSRV_BRIDGE_IN_SGX_READ_HWPERF_CB_TAG
 	IMG_UINT32					ui32BridgeFlags; 
 	IMG_HANDLE					hDevCookie;
 	IMG_UINT32					ui32ArraySize;
+	IMG_UINT32			entry_size;
 	PVRSRV_SGX_HWPERF_CB_ENTRY	*psHWPerfCBData;
 } PVRSRV_BRIDGE_IN_SGX_READ_HWPERF_CB;
 
diff --git a/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c b/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c
index b1d67a5..b811f09 100644
--- a/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c
+++ b/drivers/staging/mrst/pvr/services4/srvkm/bridged/sgx/bridged_sgx_bridge.c
@@ -788,6 +788,7 @@ SGXReadHWPerfCBBW(IMG_UINT32							ui32BridgeID,
 	PVRSRV_SGX_HWPERF_CB_ENTRY	*psAllocated;
 	IMG_HANDLE					hAllocatedHandle;
 	IMG_UINT32					ui32AllocatedSize;
+	size_t	entry_size;
 
 	PVRSRV_BRIDGE_ASSERT_CMD(ui32BridgeID, PVRSRV_BRIDGE_SGX_READ_HWPERF_CB);
 
@@ -801,8 +802,11 @@ SGXReadHWPerfCBBW(IMG_UINT32							ui32BridgeID,
 		return 0;
 	}
 
-	ui32AllocatedSize = psSGXReadHWPerfCBIN->ui32ArraySize *
-							sizeof(psSGXReadHWPerfCBIN->psHWPerfCBData[0]);
+	entry_size = sizeof(psSGXReadHWPerfCBIN->psHWPerfCBData[0]);
+	if (psSGXReadHWPerfCBIN->entry_size != entry_size)
+		return -EINVAL;
+
+	ui32AllocatedSize = psSGXReadHWPerfCBIN->ui32ArraySize * entry_size;
 	ASSIGN_AND_EXIT_ON_ERROR(psSGXReadHWPerfCBOUT->eError,
 	                    OSAllocMem(PVRSRV_OS_PAGEABLE_HEAP,
 	                    ui32AllocatedSize,
diff --git a/include/drm/pvr_drm.h b/include/drm/pvr_drm.h
index 7c54b7f..445cec6 100644
--- a/include/drm/pvr_drm.h
+++ b/include/drm/pvr_drm.h
@@ -2,6 +2,6 @@
 #define _PVR_DRM_H_
 
 #define PVR_ABI_VER_MAJOR	2
-#define PVR_ABI_VER_MINOR	0
+#define PVR_ABI_VER_MINOR	1
 
 #endif
-- 
2.7.4