[PATCH v3] drm/xe: Fix out-of-bounds field write in MI_STORE_DATA_IMM

Jia Yao jia.yao at intel.com
Thu Jun 12 22:46:20 UTC 2025 

According to Bspec, bits 0~9 of MI_STORE_DATA_IMM must not exceed 0x3FE.
The macro MI_SDI_NUM_QW(x) evaluates to 2 * x + 1, which means the
condition 2 * x + 1 <= 0x3FE must be satisfied. Therefore, the maximum
valid value for x is 0x1FE, not 0x1FF.

v2
 - Replace 0x1fe with macro MAX_PTE_PER_SDI (Auld, Matthew & Patelczyk, Maciej)

v3
 - Change macro MAX_PTE_PER_SDI from 0x1fe to 0x1feU (De Marchi, Lucas)

Bspec: 60246

Fixes: 9c44fd5f6e8a ("drm/xe: Add migrate layer functions for SVM support")
Cc: Matthew Brost <matthew.brost at intel.com>
Cc: Brian3 Nguyen <brian3.nguyen at intel.com>
Cc: Alex Zuo <alex.zuo at intel.com>
Cc: Matthew Auld <matthew.auld at intel.com>
Cc: Maciej Patelczyk <maciej.patelczyk at intel.com>
Cc: Lucas De Marchi <lucas.demarchi at intel.com>
Suggested-by: Shuicheng Lin <shuicheng.lin at intel.com>
Signed-off-by: Jia Yao <jia.yao at intel.com>
---
 drivers/gpu/drm/xe/xe_migrate.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c
index 8f8e9fdfb2a8..6cdd4538fd6b 100644
--- a/drivers/gpu/drm/xe/xe_migrate.c
+++ b/drivers/gpu/drm/xe/xe_migrate.c
@@ -82,7 +82,7 @@ struct xe_migrate {
  * of the instruction.  Subtracting the instruction header (1 dword) and
  * address (2 dwords), that leaves 0x3FD dwords (0x1FE qwords) for PTE values.
  */
-#define MAX_PTE_PER_SDI 0x1FE
+#define MAX_PTE_PER_SDI 0x1FEU
 
 /**
  * xe_tile_migrate_exec_queue() - Get this tile's migrate exec queue.
@@ -1555,13 +1555,13 @@ static u32 pte_update_cmd_size(u64 size)
 	XE_WARN_ON(size > MAX_PREEMPTDISABLE_TRANSFER);
 	/*
 	 * MI_STORE_DATA_IMM command is used to update page table. Each
-	 * instruction can update maximumly 0x1ff pte entries. To update
-	 * n (n <= 0x1ff) pte entries, we need:
+	 * instruction can update maximumly 0x1fe pte entries. To update
+	 * n (n <= 0x1fe) pte entries, we need:
 	 * 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
 	 * 2 dword for the page table's physical location
 	 * 2*n dword for value of pte to fill (each pte entry is 2 dwords)
 	 */
-	num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, 0x1ff);
+	num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, MAX_PTE_PER_SDI);
 	num_dword += entries * 2;
 
 	return num_dword;
@@ -1577,7 +1577,7 @@ static void build_pt_update_batch_sram(struct xe_migrate *m,
 
 	ptes = DIV_ROUND_UP(size, XE_PAGE_SIZE);
 	while (ptes) {
-		u32 chunk = min(0x1ffU, ptes);
+		u32 chunk = min(MAX_PTE_PER_SDI, ptes);
 
 		bb->cs[bb->len++] = MI_STORE_DATA_IMM | MI_SDI_NUM_QW(chunk);
 		bb->cs[bb->len++] = pt_offset;
-- 
2.34.1

More information about the Intel-xe mailing list