Patch "drm/i915/guc: prevent a possible int overflow in wq offsets" has been added to the 6.6-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    drm/i915/guc: prevent a possible int overflow in wq offsets

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-i915-guc-prevent-a-possible-int-overflow-in-wq-o.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 93e93d2a2f59a6200b15a86abc52b2646238870c
Author: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
Date:   Thu Jul 25 08:59:25 2024 -0700

    drm/i915/guc: prevent a possible int overflow in wq offsets
    
    [ Upstream commit d3d37f74683e2f16f2635ee265884f7ca69350ae ]
    
    It may be possible for the sum of the values derived from
    i915_ggtt_offset() and __get_parent_scratch_offset()/
    i915_ggtt_offset() to go over the u32 limit before being assigned
    to wq offsets of u64 type.
    
    Mitigate these issues by expanding one of the right operands
    to u64 to avoid any overflow issues just in case.
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: c2aa552ff09d ("drm/i915/guc: Add multi-lrc context registration")
    Cc: Matthew Brost <matthew.brost@xxxxxxxxx>
    Cc: John Harrison <John.C.Harrison@xxxxxxxxx>
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240725155925.14707-1-n.zhandarovich@xxxxxxxxxx
    Reviewed-by: Rodrigo Vivi <rodrigo.vivi@xxxxxxxxx>
    Signed-off-by: Rodrigo Vivi <rodrigo.vivi@xxxxxxxxx>
    (cherry picked from commit 1f1c1bd56620b80ae407c5790743e17caad69cec)
    Signed-off-by: Tvrtko Ursulin <tursulin@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
index b5de5a9f5967..236dfff81fea 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
@@ -2695,9 +2695,9 @@ static void prepare_context_registration_info_v70(struct intel_context *ce,
 		ce->parallel.guc.wqi_tail = 0;
 		ce->parallel.guc.wqi_head = 0;
 
-		wq_desc_offset = i915_ggtt_offset(ce->state) +
+		wq_desc_offset = (u64)i915_ggtt_offset(ce->state) +
 				 __get_parent_scratch_offset(ce);
-		wq_base_offset = i915_ggtt_offset(ce->state) +
+		wq_base_offset = (u64)i915_ggtt_offset(ce->state) +
 				 __get_wq_offset(ce);
 		info->wq_desc_lo = lower_32_bits(wq_desc_offset);
 		info->wq_desc_hi = upper_32_bits(wq_desc_offset);