Commit e1dd8714 authored by John Harrison's avatar John Harrison
Browse files

drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs 



Some G2H handlers were reading the context id field from the payload
before checking the payload met the minimum length required.

Signed-off-by: default avatarJohn Harrison <John.C.Harrison@Intel.com>
Reviewed-by: default avatarDaniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220302003357.4188363-9-John.C.Harrison@Intel.com
parent d4de9a3e

drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c

+4 −2
Original line number Diff line number Diff line
@@ -3895,12 +3895,13 @@ int intel_guc_deregister_done_process_msg(struct intel_guc *guc, 
					  u32 len)

{

	struct intel_context *ce;

	u32 ctx_id = msg[0];

	u32 ctx_id;



	if (unlikely(len < 1)) {

		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);

		return -EPROTO;

	}

	ctx_id = msg[0];



	ce = g2h_context_lookup(guc, ctx_id);

	if (unlikely(!ce))
@@ -3946,12 +3947,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc *guc, 
{

	struct intel_context *ce;

	unsigned long flags;

	u32 ctx_id = msg[0];

	u32 ctx_id;



	if (unlikely(len < 2)) {

		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);

		return -EPROTO;

	}

	ctx_id = msg[0];



	ce = g2h_context_lookup(guc, ctx_id);

	if (unlikely(!ce))