accel/ivpu: Fix signed integer truncation in IPC receive

Fix potential buffer overflow where firmware-supplied data_size is cast
to signed int before being used in min_t(). Large unsigned values
(>= 0x80000000) become negative, causing unsigned wraparound and
oversized memcpy operations that can overflow the stack buffer.

Change min_t(int, ...) to min() as both values are unsigned and can be
handled by min() without explicit cast.

Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com

diff --git a/drivers/accel/ivpu/ivpu_ipc.c b/drivers/accel/ivpu/ivpu_ipc.c
index f47df092bb0dded1a98a3f3b027530010add16fc..9347f05a2b7924557eb6fcd77bafda0597074ec1 100644 (file)
--- a/drivers/accel/ivpu/ivpu_ipc.c
+++ b/drivers/accel/ivpu/ivpu_ipc.c
@@ -276,7 +276,7 @@ int ivpu_ipc_receive(struct ivpu_device *vdev, struct ivpu_ipc_consumer *cons,
        if (ipc_buf)
                memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf));
        if (rx_msg->jsm_msg) {
-               u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
+               u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
 
                if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) {
                        ivpu_err(vdev, "IPC resp result error: %d\n", rx_msg->jsm_msg->result);