accel/ivpu: Add buffer overflow check in MS get_info_ioctl

Add validation that the info size returned from the metric stream info
query is not exceeded when checked against the allocated buffer size.
If the firmware returns a size larger than the buffer, reject the
operation with -EOVERFLOW instead of proceeding with an incorrect
buffer copy.

Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
Cc: stable@vger.kernel.org # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com

diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c
index be43851f5f320e695c0c2ed8996aebfd38b467f8..cd176e77b9a01e193db3b128c72c18ddcbcb490d 100644 (file)
--- a/drivers/accel/ivpu/ivpu_ms.c
+++ b/drivers/accel/ivpu/ivpu_ms.c
@@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_device *dev, void *data, struct drm_file *
        if (ret)
                goto unlock;
 
+       if (info_size > ivpu_bo_size(bo)) {
+               ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
+                                     info_size, ivpu_bo_size(bo));
+               ret = -EOVERFLOW;
+               goto unlock;
+       }
+
        if (args->buffer_size < info_size) {
                ret = -ENOSPC;
                goto unlock;