GPUCORE-39469 Error handling for invalid slot when parsing trace dataandroid-u-qpr1-beta-2.2_r0.7android-14.0.0_r0.45android-14.0.0_r0.38android-gs-shusky-5.15-android14-qpr1-betaandroid-gs-shusky-5.15-android14-qpr1

If a slot number parsed from trace data exceeds the number of supported
CSG slots, the trace data must be discarded. Otherwise the access to
the invalid memory address could happen.

Bug: 304341806
Provenance: https://code.ipdelivery.arm.com/c/GPU/mali-ddk/+/6057
Signed-off-by: Jörg Wagner <jorwag@google.com>
Change-Id: I8e702e7487f2bea3618f2fe8ad696a1b546f10f2

1 files changed, 9 insertions, 3 deletions

diff --git a/mali_kbase/csf/mali_kbase_csf_scheduler.c b/mali_kbase/csf/mali_kbase_csf_scheduler.c
index ccac7c8..8450012 100644
--- a/mali_kbase/csf/mali_kbase_csf_scheduler.c
+++ b/mali_kbase/csf/mali_kbase_csf_scheduler.c
@@ -335,11 +335,17 @@ static bool gpu_metrics_read_event(struct kbase_device *kbdev, struct kbase_cont
 	if (kbase_csf_firmware_trace_buffer_read_data(tb, (u8 *)&e, GPU_METRICS_EVENT_SIZE) ==
 	    GPU_METRICS_EVENT_SIZE) {
 		const u8 slot = GPU_METRICS_CSG_GET(e.csg_slot_act);
-		struct kbase_queue_group *group =
-			kbdev->csf.scheduler.csg_slots[slot].resident_group;
+		struct kbase_queue_group *group;
+
+		if (WARN_ON_ONCE(slot >= kbdev->csf.global_iface.group_num)) {
+			dev_err(kbdev->dev, "invalid CSG slot (%u)", slot);
+			return false;
+		}
+
+		group = kbdev->csf.scheduler.csg_slots[slot].resident_group;
 
 		if (unlikely(!group)) {
-			dev_err(kbdev->dev, "failed to find CSG group from CSG slot(%u)", slot);
+			dev_err(kbdev->dev, "failed to find CSG group from CSG slot (%u)", slot);
 			return false;
 		}