From nobody Mon Jun  8 14:52:35 2026
Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AF0731F9B3
	for <linux-kernel@vger.kernel.org>; Fri, 29 May 2026 13:24:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.54.195.159
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780061081; cv=none;
 b=S3Vn3qFE6GQ9b9tQ2oWzViJ9knuevWlQD+XPEiTpyBBXorD1R6qKUWpUmHG70nYeX54+W56OaP8tBxITVQFe+OQN9QSuAehhoALSDFu6RMV0llElvJ2wRqh6f57jXtKIKvWDJ1UJzVahRnIqU5rwXygGV6YfLsu1Rz1/BJwAMHM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780061081; c=relaxed/simple;
	bh=P2n+H+eLWcjK7fHRvgi4a2eAT7nQkKL9uGFqDcMEdPQ=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=cx/mq3E+x3vKCNuNzXXw0sGDLnHhRODO8Zd4ozh+vRhUUL5QECoc6c01zjtMh/6Tt3PN6AMRycrdvEsp0C+8Pbw+J7zvyy9voZKHJETcNPBoZuwaC6er1MjAp9L3JEBxUbOMdHkEwz+sBjTVNYcvcz/mxwNYv5pnq/+IC9F0ji4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=fintech.ru;
 spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=fintech.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=fintech.ru
Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru
 (195.54.195.159) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 29 May
 2026 16:24:35 +0300
Received: from localhost (10.0.253.153) by Ex16-01.fintech.ru (10.0.10.18)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 29 May
 2026 16:24:34 +0300
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
To: Jani Nikula <jani.nikula@linux.intel.com>, Joonas Lahtinen
	<joonas.lahtinen@linux.intel.com>, Rodrigo Vivi <rodrigo.vivi@intel.com>
CC: Nikita Zhandarovich <n.zhandarovich@fintech.ru>, Zhenyu Wang
	<zhenyuw.linux@gmail.com>, Zhi Wang <zhi.wang.linux@gmail.com>, "Tvrtko
 Ursulin" <tursulin@ursulin.net>, David Airlie <airlied@gmail.com>, "Simona
 Vetter" <simona@ffwll.ch>, <intel-gfx@lists.freedesktop.org>,
	<dri-devel@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>,
	<lvc-project@linuxtesting.org>
Subject: [PATCH] drm/i915/gvt: validate LRCA-derived guest context range
Date: Fri, 29 May 2026 16:24:27 +0300
Message-ID: <20260529132430.1636603-1-n.zhandarovich@fintech.ru>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru
 (10.0.10.18)
Content-Type: text/plain; charset="utf-8"

The GVT execlist context handling code derives GGTT page addresses from
desc->lrca in several places:
 - intel_vgpu_create_workload()
 - populate_shadow_context()
 - update_guest_context()

These paths translate addresses based on desc->lrca + page_index, but do
not first verify that the referenced guest context range fits in 32-bit
GMA space.

If desc->lrca is close enough (0xFFFFE, for instance) to the top
encodable page value, the page addition can exceed the representable
32-bit GMA range before the value is shifted and truncated for address
translation.

Fix this by validating the full LRCA-derived context range once during
workload creation, based on the engine context size, and reject invalid
descriptors before any GPA translation is attempted.

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Fixes: 28c4c6ca7f79 ("drm/i915/gvt: vGPU workload submission")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
 drivers/gpu/drm/i915/gvt/scheduler.c | 37 ++++++++++++++++++++++++++++++++=
++++
 1 file changed, 37 insertions(+)

diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gv=
t/scheduler.c
index 15fdd514ca83..b2c028396093 100644
--- a/drivers/gpu/drm/i915/gvt/scheduler.c
+++ b/drivers/gpu/drm/i915/gvt/scheduler.c
@@ -68,6 +68,37 @@ static void set_context_pdp_root_pointer(
 		ring_context->pdps[i].val =3D pdp[7 - i];
 }
=20
+static unsigned long
+intel_vgpu_context_page_num(struct intel_vgpu *vgpu,
+			    const struct intel_engine_cs *engine)
+{
+	unsigned long context_page_num;
+
+	context_page_num =3D engine->context_size >> PAGE_SHIFT;
+
+	if (IS_BROADWELL(vgpu->gvt->gt->i915) && engine->id =3D=3D RCS0)
+		context_page_num =3D 19;
+
+	return context_page_num;
+}
+
+static bool
+intel_vgpu_lrca_range_valid(struct intel_vgpu *vgpu,
+			    const struct intel_engine_cs *engine,
+			    u32 lrca)
+{
+	unsigned long context_page_num;
+	u32 max_lrca;
+
+	context_page_num =3D intel_vgpu_context_page_num(vgpu, engine);
+	if (!context_page_num)
+		return false;
+
+	max_lrca =3D (U32_MAX >> I915_GTT_PAGE_SHIFT) - (context_page_num - 1);
+
+	return lrca <=3D max_lrca;
+}
+
 static void update_shadow_pdps(struct intel_vgpu_workload *workload)
 {
 	struct execlist_ring_context *shadow_ring_context;
@@ -1646,6 +1677,12 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu,
 	u32 guest_head;
 	int ret;
=20
+	if (!intel_vgpu_lrca_range_valid(vgpu, engine, desc->lrca)) {
+		gvt_vgpu_err("invalid guest context LRCA: 0x%x\n",
+			     desc->lrca);
+		return ERR_PTR(-EINVAL);
+	}
+
 	ring_context_gpa =3D intel_vgpu_gma_to_gpa(vgpu->gtt.ggtt_mm,
 			(u32)((desc->lrca + 1) << I915_GTT_PAGE_SHIFT));
 	if (ring_context_gpa =3D=3D INTEL_GVT_INVALID_ADDR) {