diff mbox series

[8/8] drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs

Message ID 20220217235207.930153-9-John.C.Harrison@Intel.com (mailing list archive)
State New, archived
Headers show
Series Prep work for next GuC release | expand

Commit Message

John Harrison Feb. 17, 2022, 11:52 p.m. UTC 
From: John Harrison <John.C.Harrison@Intel.com>

Some G2H handlers were reading the context id field from the payload
before checking the payload met the minimum length required.

Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
---
 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Daniele Ceraolo Spurio Feb. 23, 2022, 1:28 a.m. UTC | #1 
On 2/17/2022 3:52 PM, John.C.Harrison@Intel.com wrote:
> From: John Harrison <John.C.Harrison@Intel.com>
>
> Some G2H handlers were reading the context id field from the payload
> before checking the payload met the minimum length required.
>
> Signed-off-by: John Harrison <John.C.Harrison@Intel.com>

Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>

While double-checking the other msg handler I noticed that we don't do 
any checks on len for intel_guc_log_handle_flush_event(). Not really 
relevant for this patch, just wondering out loud if we should add a 
check to make sure the message is not corrupted.

Daniele

> ---
>   drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
> index b70b1ff46418..ea17dca68674 100644
> --- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
> +++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
> @@ -3895,12 +3895,13 @@ int intel_guc_deregister_done_process_msg(struct intel_guc *guc,
>   					  u32 len)
>   {
>   	struct intel_context *ce;
> -	u32 ctx_id = msg[0];
> +	u32 ctx_id;
>   
>   	if (unlikely(len < 1)) {
>   		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
>   		return -EPROTO;
>   	}
> +	ctx_id = msg[0];
>   
>   	ce = g2h_context_lookup(guc, ctx_id);
>   	if (unlikely(!ce))
> @@ -3946,12 +3947,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc *guc,
>   {
>   	struct intel_context *ce;
>   	unsigned long flags;
> -	u32 ctx_id = msg[0];
> +	u32 ctx_id;
>   
>   	if (unlikely(len < 2)) {
>   		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
>   		return -EPROTO;
>   	}
> +	ctx_id = msg[0];
>   
>   	ce = g2h_context_lookup(guc, ctx_id);
>   	if (unlikely(!ce))
diff mbox series

Patch

diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
index b70b1ff46418..ea17dca68674 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
@@ -3895,12 +3895,13 @@  int intel_guc_deregister_done_process_msg(struct intel_guc *guc,
 					  u32 len)
 {
 	struct intel_context *ce;
-	u32 ctx_id = msg[0];
+	u32 ctx_id;
 
 	if (unlikely(len < 1)) {
 		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
 		return -EPROTO;
 	}
+	ctx_id = msg[0];
 
 	ce = g2h_context_lookup(guc, ctx_id);
 	if (unlikely(!ce))
@@ -3946,12 +3947,13 @@  int intel_guc_sched_done_process_msg(struct intel_guc *guc,
 {
 	struct intel_context *ce;
 	unsigned long flags;
-	u32 ctx_id = msg[0];
+	u32 ctx_id;
 
 	if (unlikely(len < 2)) {
 		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
 		return -EPROTO;
 	}
+	ctx_id = msg[0];
 
 	ce = g2h_context_lookup(guc, ctx_id);
 	if (unlikely(!ce))