From 635e3eba1ebcd5b92856e975e1d3859b487dc88b Mon Sep 17 00:00:00 2001 From: Mika Kuoppala Date: Wed, 4 Mar 2026 23:17:28 +0200 Subject: [PATCH] drm/xe: Fix overflow in guc_ct_snapshot_capture MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit snapshot->ctb is u32*, so pointer arithmetic on it scales the byte offset from xe_bo_size() by 4, overshooting the intended start of the g2h portion and writing past the allocated buffer. Fix this by using void * to get the arithmetic right and prevent future mishaps. v2: s/u8/void for memcpy and iosys_map consistency (Matt) Fixes: af3de6cf06f9 ("drm/xe: Split H2G and G2H into separate buffer objects") Cc: Matthew Brost Cc: Thomas Hellström Cc: Rodrigo Vivi Cc: intel-xe@lists.freedesktop.org Signed-off-by: Mika Kuoppala Reviewed-by: Matthew Brost Signed-off-by: Matthew Brost Link: https://patch.msgid.link/20260304211728.249104-1-mika.kuoppala@linux.intel.com --- drivers/gpu/drm/xe/xe_guc_ct_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_guc_ct_types.h b/drivers/gpu/drm/xe/xe_guc_ct_types.h index 46ad1402347d..5da1ce5dc372 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct_types.h +++ b/drivers/gpu/drm/xe/xe_guc_ct_types.h @@ -74,7 +74,7 @@ struct xe_guc_ct_snapshot { /** @ctb_size: size of the snapshot of the CTB */ size_t ctb_size; /** @ctb: snapshot of the entire CTB */ - u32 *ctb; + void *ctb; }; /**