7.0-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 15 May 2026 15:29:19 +0000 (17:29 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 15 May 2026 15:29:19 +0000 (17:29 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 15 May 2026 15:29:19 +0000 (17:29 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 15 May 2026 15:29:19 +0000 (17:29 +0200)
diff --git a/queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch b/queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch

new file mode 100644 (file)

index 0000000..cbfe9b6
--- /dev/null
+++ b/queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
@@ -0,0 +1,43 @@
+From e6e9faba8100628990cccd13f0f044a648c303cf Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn3: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit e6e9faba8100628990cccd13f0f044a648c303cf upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1972,6 +1972,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ 
+       for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+               uint32_t offset, size, *create;
++              uint64_t buf_end;
+ 
+               if (msg[0] != RDECODE_MESSAGE_CREATE)
+                       continue;
+@@ -1979,7 +1980,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+               offset = msg[1];
+               size = msg[2];
+ 
+-              if (size < 4 || offset + size > end - addr) {
++              if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++                  buf_end > end - addr) {
+                       DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+                       r = -EINVAL;
+                       goto out;
diff --git a/queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch b/queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch

new file mode 100644 (file)

index 0000000..ebc22c1
--- /dev/null
+++ b/queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch
@@ -0,0 +1,43 @@
+From 65bce27ea6192320448c30267ffc17ffa094e713 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn4: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ 
+       for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+               uint32_t offset, size, *create;
++              uint64_t buf_end;
+ 
+               if (msg[0] != RDECODE_MESSAGE_CREATE)
+                       continue;
+@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+               offset = msg[1];
+               size = msg[2];
+ 
+-              if (size < 4 || offset + size > end - addr) {
++              if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++                  buf_end > end - addr) {
+                       DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+                       r = -EINVAL;
+                       goto out;
diff --git a/queue-7.0/series b/queue-7.0/series

index 8a794b201ff5749674686b258a3cf6d23ad3913e..2201ce3c969826b3e489ab4dd5912ce6f3ad27b7 100644 (file)
--- a/queue-7.0/series
+++ b/queue-7.0/series
@@ -197,3 +197,5 @@ vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch
  vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch
  vsock-virtio-fix-potential-unbounded-skb-queue.patch
  vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
+drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
+drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 15 May 2026 15:29:19 +0000 (17:29 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 15 May 2026 15:29:19 +0000 (17:29 +0200)
queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch	[new file with mode: 0644]	patch \| blob
queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch	[new file with mode: 0644]	patch \| blob
queue-7.0/series		patch \| blob \| blame \| history