drm/xe: Fix overflow in guc_ct_snapshot_capture

snapshot->ctb is u32*, so pointer arithmetic on it scales
the byte offset from xe_bo_size() by 4, overshooting the
intended start of the g2h portion and writing past the
allocated buffer.

Fix this by using void * to get the arithmetic right and
prevent future mishaps.

v2: s/u8/void for memcpy and iosys_map consistency (Matt)

Fixes: af3de6cf06f9 ("drm/xe: Split H2G and G2H into separate buffer objects")
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: intel-xe@lists.freedesktop.org
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260304211728.249104-1-mika.kuoppala@linux.intel.com

diff --git a/drivers/gpu/drm/xe/xe_guc_ct_types.h b/drivers/gpu/drm/xe/xe_guc_ct_types.h
index 46ad1402347ddfc7cea3600cec90d9559aa06172..5da1ce5dc3724398258d46ca9983c84df1197333 100644 (file)
--- a/drivers/gpu/drm/xe/xe_guc_ct_types.h
+++ b/drivers/gpu/drm/xe/xe_guc_ct_types.h
@@ -74,7 +74,7 @@ struct xe_guc_ct_snapshot {
        /** @ctb_size: size of the snapshot of the CTB */
        size_t ctb_size;
        /** @ctb: snapshot of the entire CTB */
-       u32 *ctb;
+       void *ctb;
 };
 
 /**