From: Lucas De Marchi <lucas.demarchi@intel.com>
Date: Fri, 28 Jun 2024 16:17:26 +0000 (-0700)
Subject: drm/xe/rtp: Fix out-of-bounds array access
X-Git-Tag: v6.11-rc1~141^2~13^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7dc10eff223b0e9fed5d48159820556a576be592;p=thirdparty%2Fkernel%2Fstable.git

drm/xe/rtp: Fix out-of-bounds array access

Increment the counter before checking for number of rules, otherwise
when there's no XE_RTP_MATCH_OR an out-of-bounds access is done, as
reported by kasan:

	BUG: KASAN: global-out-of-bounds in rule_matches+0xb6d/0x11c0 [xe]
	Read of size 1 at addr ffffffffa0a50b70 by task systemd-udevd/243

Fixes: dc72c52a42e0 ("drm/xe/rtp: Allow to OR rules")
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240628161726.836734-1-lucas.demarchi@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
---

diff --git a/drivers/gpu/drm/xe/xe_rtp.c b/drivers/gpu/drm/xe/xe_rtp.c
index 5b27f7c45ea32..02e28274282f9 100644
--- a/drivers/gpu/drm/xe/xe_rtp.c
+++ b/drivers/gpu/drm/xe/xe_rtp.c
@@ -121,7 +121,7 @@ static bool rule_matches(const struct xe_device *xe,
 			 * Advance rules until we find XE_RTP_MATCH_OR to check
 			 * if there's another set of conditions to check
 			 */
-			while (i < n_rules && rules[++i].match_type != XE_RTP_MATCH_OR)
+			while (++i < n_rules && rules[i].match_type != XE_RTP_MATCH_OR)
 				;
 
 			if (i >= n_rules)