From: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Date: Wed, 4 Mar 2026 21:17:28 +0000 (+0200)
Subject: drm/xe: Fix overflow in guc_ct_snapshot_capture
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=635e3eba1ebcd5b92856e975e1d3859b487dc88b;p=thirdparty%2Fkernel%2Flinux.git

drm/xe: Fix overflow in guc_ct_snapshot_capture

snapshot->ctb is u32*, so pointer arithmetic on it scales
the byte offset from xe_bo_size() by 4, overshooting the
intended start of the g2h portion and writing past the
allocated buffer.

Fix this by using void * to get the arithmetic right and
prevent future mishaps.

v2: s/u8/void for memcpy and iosys_map consistency (Matt)

Fixes: af3de6cf06f9 ("drm/xe: Split H2G and G2H into separate buffer objects")
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: intel-xe@lists.freedesktop.org
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260304211728.249104-1-mika.kuoppala@linux.intel.com
---

diff --git a/drivers/gpu/drm/xe/xe_guc_ct_types.h b/drivers/gpu/drm/xe/xe_guc_ct_types.h
index 46ad1402347dd..5da1ce5dc3724 100644
--- a/drivers/gpu/drm/xe/xe_guc_ct_types.h
+++ b/drivers/gpu/drm/xe/xe_guc_ct_types.h
@@ -74,7 +74,7 @@ struct xe_guc_ct_snapshot {
 	/** @ctb_size: size of the snapshot of the CTB */
 	size_t ctb_size;
 	/** @ctb: snapshot of the entire CTB */
-	u32 *ctb;
+	void *ctb;
 };
 
 /**