git.ipfire.org Git - thirdparty/linux.git/commit

author	Chenglei Xie <Chenglei.Xie@amd.com>
	Thu, 7 May 2026 20:16:58 +0000 (16:16 -0400)
committer	Alex Deucher <alexander.deucher@amd.com>
	Mon, 18 May 2026 22:13:37 +0000 (18:13 -0400)
commit	c06b6cde2a1c3bcbb561bd57bb6f34eae9030921
tree	3917564fc29046c66cb9c3aeec0bd3371ebb6db4	tree \| snapshot
parent	3635e1104aa21a01c2e6e7dde02a5b3641f4c46c	commit \| diff

drm/amdgpu: fix OOB risk parsing virt RAS batch trace replies on the VF

amdgpu_virt_ras_get_batch_records() indexed batchs[] and records[]
from ras_cmd_batch_trace_record_rsp copied out of shared memory without
fully bounding the cache window or per-batch offset/trace_num. A
tampered or corrupted buffer could set real_batch_num past the array,
make a naive start_batch_id + real_batch_num comparison wrap in
uint64_t, or point offset+trace_num past records[].

Add amdgpu_virt_ras_check_batch_cached() for a subtraction-based window
with a real_batch_num cap, re-run it after GET_BATCH_TRACE_RECORD, and
use an explicit batch index into batchs[]. Consolidate batch_id,
trace_num, and offset+trace_num checks; on any failure memset the cache
and return -EIO so the next call refetches.

Signed-off-by: Chenglei Xie <Chenglei.Xie@amd.com>
Reviewed-by: YiPeng Chai <YiPeng.Chai@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>