From patchwork Fri Feb 25 00:06:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Harrison X-Patchwork-Id: 12759465 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 53522C433F5 for ; Fri, 25 Feb 2022 00:06:51 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 53ED110E666; Fri, 25 Feb 2022 00:06:33 +0000 (UTC) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by gabe.freedesktop.org (Postfix) with ESMTPS id A91F810E13C; Fri, 25 Feb 2022 00:06:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1645747586; x=1677283586; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=NDbIX18nuhyKwC1b7QExLYf3J0gSwzDVsL3OSkqULOY=; b=dcm/4ZZ3WVlLQtDivoNF09H8AGys1EAVWhMvGXfoEvGm/Y9sCRbOdqt5 +JLzYE5h7TXe0N1nAPx3q4UfWFXAreglk1jK3a28kn0Hc8HByicFhtPHI KeSB97PeCbO42NC/E4nE3x9yLMcD2o25k+5Ohm5t3VQjxurYuK+tJNa/4 NIRa1EZicqc+mR0gG5BZwGPliTU7CCs0oGBMmviZWw//d8EUeU0VYLsIr ieYukGXfqZ27nDwFUQ9NR8iidPeCqP2+TecmifNEq9cKtNmrt6iZHp2wG 52h+ifXZGdZoGWSk4HpfsLyB5xX5ZiUcBpol+VPq3iiV5zUaALTiZxqEr g==; X-IronPort-AV: E=McAfee;i="6200,9189,10268"; a="277012944" X-IronPort-AV: E=Sophos;i="5.90,134,1643702400"; d="scan'208";a="277012944" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Feb 2022 16:06:25 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,134,1643702400"; d="scan'208";a="592278984" Received: from relo-linux-5.jf.intel.com ([10.165.21.134]) by fmsmga008.fm.intel.com with ESMTP; 24 Feb 2022 16:06:25 -0800 From: John.C.Harrison@Intel.com To: Intel-GFX@Lists.FreeDesktop.Org Subject: [PATCH v2 8/8] drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs Date: Thu, 24 Feb 2022 16:06:23 -0800 Message-Id: <20220225000623.1934438-9-John.C.Harrison@Intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220225000623.1934438-1-John.C.Harrison@Intel.com> References: <20220225000623.1934438-1-John.C.Harrison@Intel.com> MIME-Version: 1.0 Organization: Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniele Ceraolo Spurio , John Harrison , DRI-Devel@Lists.FreeDesktop.Org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" From: John Harrison Some G2H handlers were reading the context id field from the payload before checking the payload met the minimum length required. Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio --- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c index 53114097a5b9..820f6e870505 100644 --- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c @@ -3891,12 +3891,13 @@ int intel_guc_deregister_done_process_msg(struct intel_guc *guc, u32 len) { struct intel_context *ce; - u32 ctx_id = msg[0]; + u32 ctx_id; if (unlikely(len < 1)) { drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len); return -EPROTO; } + ctx_id = msg[0]; ce = g2h_context_lookup(guc, ctx_id); if (unlikely(!ce)) @@ -3942,12 +3943,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc *guc, { struct intel_context *ce; unsigned long flags; - u32 ctx_id = msg[0]; + u32 ctx_id; if (unlikely(len < 2)) { drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len); return -EPROTO; } + ctx_id = msg[0]; ce = g2h_context_lookup(guc, ctx_id); if (unlikely(!ce))