accel/ivpu: Add bounds checks for firmware log indices

Add validation that read and write indices in the firmware log buffer
are within valid bounds (< data_size) before using them. If
out-of-bounds indices are encountered (from firmware), clamp them to
safe values instead of proceeding with invalid offsets.

This prevents potential out-of-bounds buffer access when firmware
supplies invalid log indices.

Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
Cc: stable@vger.kernel.org # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com

diff --git a/drivers/accel/ivpu/ivpu_fw_log.c b/drivers/accel/ivpu/ivpu_fw_log.c
index 337c906b0210720b53a32eb1fa10871415b7f1f9..275baf844b562ce088ca948ba3420ec96eef343e 100644 (file)
--- a/drivers/accel/ivpu/ivpu_fw_log.c
+++ b/drivers/accel/ivpu/ivpu_fw_log.c
@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct vpu_tracing_buffer_header *log, const cha
        u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0;
        u32 log_end = READ_ONCE(log->write_index);
 
+       if (log_start >= data_size)
+               log_start = 0;
+       if (log_end > data_size)
+               log_end = data_size;
+
        if (log->wrap_count == log->read_wrap_count) {
                if (log_end <= log_start) {
                        drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name);