[PATCH] drm/i915/gvt: validate LRCA-derived guest context range

[PATCH] drm/i915/gvt: validate LRCA-derived guest context range

[Nikita Zhandarovich]

The GVT execlist context handling code derives GGTT page addresses from
desc->lrca in several places:
 - intel_vgpu_create_workload()
 - populate_shadow_context()
 - update_guest_context()

These paths translate addresses based on desc->lrca + page_index, but do
not first verify that the referenced guest context range fits in 32-bit
GMA space.

If desc->lrca is close enough (0xFFFFE, for instance) to the top
encodable page value, the page addition can exceed the representable
32-bit GMA range before the value is shifted and truncated for address
translation.

Fix this by validating the full LRCA-derived context range once during
workload creation, based on the engine context size, and reject invalid
descriptors before any GPA translation is attempted.

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Fixes: 28c4c6ca7f79 ("drm/i915/gvt: vGPU workload submission")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
 drivers/gpu/drm/i915/gvt/scheduler.c | 37 ++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c
index 15fdd514ca83..b2c028396093 100644
--- a/drivers/gpu/drm/i915/gvt/scheduler.c
+++ b/drivers/gpu/drm/i915/gvt/scheduler.c
@@ -68,6 +68,37 @@ static void set_context_pdp_root_pointer(
 		ring_context->pdps[i].val = pdp[7 - i];
 }
 
+static unsigned long
+intel_vgpu_context_page_num(struct intel_vgpu *vgpu,
+			    const struct intel_engine_cs *engine)
+{
+	unsigned long context_page_num;
+
+	context_page_num = engine->context_size >> PAGE_SHIFT;
+
+	if (IS_BROADWELL(vgpu->gvt->gt->i915) && engine->id == RCS0)
+		context_page_num = 19;
+
+	return context_page_num;
+}
+
+static bool
+intel_vgpu_lrca_range_valid(struct intel_vgpu *vgpu,
+			    const struct intel_engine_cs *engine,
+			    u32 lrca)
+{
+	unsigned long context_page_num;
+	u32 max_lrca;
+
+	context_page_num = intel_vgpu_context_page_num(vgpu, engine);
+	if (!context_page_num)
+		return false;
+
+	max_lrca = (U32_MAX >> I915_GTT_PAGE_SHIFT) - (context_page_num - 1);
+
+	return lrca <= max_lrca;
+}
+
 static void update_shadow_pdps(struct intel_vgpu_workload *workload)
 {
 	struct execlist_ring_context *shadow_ring_context;
@@ -1646,6 +1677,12 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu,
 	u32 guest_head;
 	int ret;
 
+	if (!intel_vgpu_lrca_range_valid(vgpu, engine, desc->lrca)) {
+		gvt_vgpu_err("invalid guest context LRCA: 0x%x\n",
+			     desc->lrca);
+		return ERR_PTR(-EINVAL);
+	}
+
 	ring_context_gpa = intel_vgpu_gma_to_gpa(vgpu->gtt.ggtt_mm,
 			(u32)((desc->lrca + 1) << I915_GTT_PAGE_SHIFT));
 	if (ring_context_gpa == INTEL_GVT_INVALID_ADDR) {

Claude review: drm/i915/gvt: validate LRCA-derived guest context range

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The arithmetic is correct:

```c
max_lrca = (U32_MAX >> I915_GTT_PAGE_SHIFT) - (context_page_num - 1);
```

This yields `0xFFFFF - (context_page_num - 1)`, ensuring `lrca + (context_page_num - 1) <= 0xFFFFF`. The downstream code accesses pages at offsets up to `context_page_num - 1` from `lrca` (in `populate_shadow_context` line 264: `for (i = 2; i < context_page_num; i++)`, and `intel_vgpu_create_workload` line 1687: `desc->lrca + 1`), so the bound is tight and correct.

**The `lrca` field is 20 bits wide** (`:20` bitfield at `execlist.h:52`), so its maximum value is `0xFFFFF` — the same as `U32_MAX >> 12`. The check correctly validates that the full range of pages `[lrca, lrca + context_page_num - 1]` fits within this space.

**Placement is correct:** the validation happens at `scheduler.c:1680`, before the first use of `desc->lrca` at line 1687 `(desc->lrca + 1) << I915_GTT_PAGE_SHIFT`.

**Minor suggestions:**

1. **Missed opportunity to reuse the helper.** The new `intel_vgpu_context_page_num()` helper extracts the Broadwell RCS0 special-case logic that is duplicated inline at two other sites:

   - `populate_shadow_context()` (lines 254–258):
     ```c
     context_page_num = workload->engine->context_size;
     context_page_num = context_page_num >> PAGE_SHIFT;
     if (IS_BROADWELL(gvt->gt->i915) && workload->engine->id == RCS0)
         context_page_num = 19;
     ```
   - `update_guest_context()` (lines 1014–1018):
     ```c
     context_page_num = rq->engine->context_size;
     context_page_num = context_page_num >> PAGE_SHIFT;
     if (IS_BROADWELL(rq->i915) && rq->engine->id == RCS0)
         context_page_num = 19;
     ```

   Since the helper is now available, those two call sites should be converted to use `intel_vgpu_context_page_num()` to eliminate the duplication. This is a minor cleanup and could be a follow-up patch, but it would strengthen the series by ensuring all three sites stay in sync.

2. **The `context_page_num == 0` guard is defensive but reasonable.** `engine->context_size` should never be zero for a valid engine, but the guard at line 94 (`if (!context_page_num) return false;`) is a safe belt-and-suspenders check that avoids underflow in the `context_page_num - 1` subtraction. No objection.

3. **Nit: `unsigned long` vs `u32` for `context_page_num`.** The helper returns `unsigned long` but the value is used in a `u32` subtraction on line 97. On 64-bit kernels this is fine (no truncation risk since page counts are small), but for consistency with the `u32 max_lrca` on line 91, using a `u32` return type would be slightly cleaner. This is cosmetic.

**No correctness issues found. The patch is ready to merge as-is, with the deduplication cleanup as a nice-to-have follow-up.**

---
Generated by Claude Code Patch Reviewer

Claude review: drm/i915/gvt: validate LRCA-derived guest context range

[Claude Code Review Bot]

Overall Series Review

Subject: drm/i915/gvt: validate LRCA-derived guest context range
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Patches: 1
Reviewed: 2026-06-04T16:31:02.106355

---

This is a single-patch series that adds an early validation check for the LRCA (Logical Ring Context Address) field in guest-submitted execlist context descriptors within the i915 GVT (GPU virtualization) scheduler. The fix addresses a real issue: a malicious or buggy guest VM can supply an `lrca` value close to the top of the 20-bit page range (e.g., `0xFFFFE`), causing `lrca + page_index` to overflow the 32-bit GMA (Graphics Memory Address) space when shifted by `I915_GTT_PAGE_SHIFT` (12). The overflow would cause silent address truncation before the `intel_vgpu_gma_to_gpa()` translation, potentially leading to incorrect GPA lookups.

The approach is sound: validate once at workload creation time, before any GPA translation is attempted, and reject invalid descriptors with `EINVAL`. The new `intel_vgpu_context_page_num()` helper also centralizes the Broadwell RCS0 workaround for the context page count, which is duplicated inline in `populate_shadow_context()` and `update_guest_context()`.

**Verdict: The patch is correct and addresses a legitimate security/robustness concern. Minor suggestions below.**

---
Generated by Claude Code Patch Reviewer