From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 May 2026 15:29:19 +0000 (+0200)
Subject: 7.0-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e370e06872ff4d1188f173ccc30c2140b05e413e;p=thirdparty%2Fkernel%2Fstable-queue.git

7.0-stable patches

added patches:
	drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
	drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch
---

diff --git a/queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch b/queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
new file mode 100644
index 0000000000..cbfe9b6756
--- /dev/null
+++ b/queue-7.0/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
@@ -0,0 +1,43 @@
+From e6e9faba8100628990cccd13f0f044a648c303cf Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn3: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit e6e9faba8100628990cccd13f0f044a648c303cf upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1972,6 +1972,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ 
+ 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ 		uint32_t offset, size, *create;
++		uint64_t buf_end;
+ 
+ 		if (msg[0] != RDECODE_MESSAGE_CREATE)
+ 			continue;
+@@ -1979,7 +1980,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ 		offset = msg[1];
+ 		size = msg[2];
+ 
+-		if (size < 4 || offset + size > end - addr) {
++		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++		    buf_end > end - addr) {
+ 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ 			r = -EINVAL;
+ 			goto out;
diff --git a/queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch b/queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch
new file mode 100644
index 0000000000..ebc22c1344
--- /dev/null
+++ b/queue-7.0/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch
@@ -0,0 +1,43 @@
+From 65bce27ea6192320448c30267ffc17ffa094e713 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn4: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ 
+ 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ 		uint32_t offset, size, *create;
++		uint64_t buf_end;
+ 
+ 		if (msg[0] != RDECODE_MESSAGE_CREATE)
+ 			continue;
+@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ 		offset = msg[1];
+ 		size = msg[2];
+ 
+-		if (size < 4 || offset + size > end - addr) {
++		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++		    buf_end > end - addr) {
+ 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ 			r = -EINVAL;
+ 			goto out;
diff --git a/queue-7.0/series b/queue-7.0/series
index 8a794b201f..2201ce3c96 100644
--- a/queue-7.0/series
+++ b/queue-7.0/series
@@ -197,3 +197,5 @@ vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch
 vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch
 vsock-virtio-fix-potential-unbounded-skb-queue.patch
 vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
+drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
+drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch