CVE-2022-49963

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/ttm: fix CCS handling<br /> <br /> Crucible + recent Mesa seems to sometimes hit:<br /> <br /> GEM_BUG_ON(num_ccs_blks &gt; NUM_CCS_BLKS_PER_XFER)<br /> <br /> And it looks like we can also trigger this with gem_lmem_swapping, if we<br /> modify the test to use slightly larger object sizes.<br /> <br /> Looking closer it looks like we have the following issues in<br /> migrate_copy():<br /> <br /> - We are using plain integer in various places, which we can easily<br /> overflow with a large object.<br /> <br /> - We pass the entire object size (when the src is lmem) into<br /> emit_pte() and then try to copy it, which doesn&amp;#39;t work, since we<br /> only have a few fixed sized windows in which to map the pages and<br /> perform the copy. With an object &gt; 8M we therefore aren&amp;#39;t properly<br /> copying the pages. And then with an object &gt; 64M we trigger the<br /> GEM_BUG_ON(num_ccs_blks &gt; NUM_CCS_BLKS_PER_XFER).<br /> <br /> So it looks like our copy handling for any object &gt; 8M (which is our<br /> CHUNK_SZ) is currently broken on DG2.<br /> <br /> Testcase: igt@gem_lmem_swapping<br /> (cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)