git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Tejas Upadhyay <tejas.upadhyay@intel.com>
	Fri, 12 Jun 2026 07:04:02 +0000 (12:34 +0530)
committer	Matthew Brost <matthew.brost@intel.com>
	Tue, 16 Jun 2026 17:18:49 +0000 (10:18 -0700)
commit	632ecc90e1ca5d3b6822bb4d08f84a175b6c42c0
tree	e08cd869e40a82252eb691e3a4b1ad0c59b6c479	tree \| snapshot
parent	ba7fd163422877ad5a5cf31306a38c07d3932b0c	commit \| diff

drm/xe/guc: Fix buffer overflow in steered register list allocation

The size calculation for the steered register extarray uses only the
geometry DSS mask (g_dss_mask) to determine the number of entries to
allocate:

total = bitmap_weight(gt->fuse_topo.g_dss_mask, ...) * steer_reg_num;

However, the filling loop uses for_each_dss_steering(), which iterates
over for_each_dss(), defined as the union of g_dss_mask and c_dss_mask
(geometry + compute DSS). On platforms with compute-only DSS bits, the
loop writes past the allocated buffer, corrupting adjacent slab objects.

This manifests as list_del corruption and SLUB redzone overwrites during
drm_managed_release on device unbind, since the overflow corrupts the
drmres list_head of neighboring allocations.

Fix by computing the allocation size using the union of both DSS masks,
matching the iteration pattern of for_each_dss_steering().

--
v2:
- use bitmap_weighted_or() (Zhanjun)

Fixes: b170d696c1e2 ("drm/xe/guc: Add XE_LP steered register lists")
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/8049
Cc: Zhanjun Dong <zhanjun.dong@intel.com>
Cc: stable@vger.kernel.org
Assisted-by: GitHub-Copilot:claude-opus-4.6
Reviewed-by: Zhanjun Dong <zhanjun.dong@intel.com>
Link: https://patch.msgid.link/20260612070401.543305-2-tejas.upadhyay@intel.com
Signed-off-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
(cherry picked from commit 0a78a44f4901aa6c9263e66be7fce02282f1109f)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>