Re: [Intel-gfx] [PATCH 8/8] drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs

[Ceraolo Spurio, Daniele]

On 2/17/2022 3:52 PM, john.c.harri...@intel.com wrote:

From: John Harrison 

Some G2H handlers were reading the context id field from the payload
before checking the payload met the minimum length required.

Signed-off-by: John Harrison 


Reviewed-by: Daniele Ceraolo Spurio 

While double-checking the other msg handler I noticed that we don't do 
any checks on len for intel_guc_log_handle_flush_event(). Not really 
relevant for this patch, just wondering out loud if we should add a 
check to make sure the message is not corrupted.


Daniele


---
  drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 --
  1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c 
b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
index b70b1ff46418..ea17dca68674 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
@@ -3895,12 +3895,13 @@ int intel_guc_deregister_done_process_msg(struct 
intel_guc *guc,
  u32 len)
  {
struct intel_context *ce;
-   u32 ctx_id = msg[0];
+   u32 ctx_id;
  
  	if (unlikely(len < 1)) {

drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
return -EPROTO;
}
+   ctx_id = msg[0];
  
  	ce = g2h_context_lookup(guc, ctx_id);

if (unlikely(!ce))
@@ -3946,12 +3947,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc 
*guc,
  {
struct intel_context *ce;
unsigned long flags;
-   u32 ctx_id = msg[0];
+   u32 ctx_id;
  
  	if (unlikely(len < 2)) {

drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
return -EPROTO;
}
+   ctx_id = msg[0];
  
  	ce = g2h_context_lookup(guc, ctx_id);

if (unlikely(!ce))

[Intel-gfx] [PATCH 8/8] drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs

[John . C . Harrison]

From: John Harrison 

Some G2H handlers were reading the context id field from the payload
before checking the payload met the minimum length required.

Signed-off-by: John Harrison 
---
 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c 
b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
index b70b1ff46418..ea17dca68674 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
@@ -3895,12 +3895,13 @@ int intel_guc_deregister_done_process_msg(struct 
intel_guc *guc,
  u32 len)
 {
struct intel_context *ce;
-   u32 ctx_id = msg[0];
+   u32 ctx_id;
 
if (unlikely(len < 1)) {
drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
return -EPROTO;
}
+   ctx_id = msg[0];
 
ce = g2h_context_lookup(guc, ctx_id);
if (unlikely(!ce))
@@ -3946,12 +3947,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc 
*guc,
 {
struct intel_context *ce;
unsigned long flags;
-   u32 ctx_id = msg[0];
+   u32 ctx_id;
 
if (unlikely(len < 2)) {
drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
return -EPROTO;
}
+   ctx_id = msg[0];
 
ce = g2h_context_lookup(guc, ctx_id);
if (unlikely(!ce))
-- 
2.25.1

[Intel-gfx] [PATCH 8/8] drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs

[John . C . Harrison]

From: John Harrison 

Some G2H handlers were reading the context id field from the payload
before checking the payload met the minimum length required.

Signed-off-by: John Harrison 
---
 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c 
b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
index 7e19b453981d..7081586dc24a 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
@@ -3895,12 +3895,13 @@ int intel_guc_deregister_done_process_msg(struct 
intel_guc *guc,
  u32 len)
 {
struct intel_context *ce;
-   u32 ctx_id = msg[0];
+   u32 ctx_id;
 
if (unlikely(len < 1)) {
drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
return -EPROTO;
}
+   ctx_id = msg[0];
 
ce = g2h_context_lookup(guc, ctx_id);
if (unlikely(!ce))
@@ -3946,12 +3947,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc 
*guc,
 {
struct intel_context *ce;
unsigned long flags;
-   u32 ctx_id = msg[0];
+   u32 ctx_id;
 
if (unlikely(len < 2)) {
drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
return -EPROTO;
}
+   ctx_id = msg[0];
 
ce = g2h_context_lookup(guc, ctx_id);
if (unlikely(!ce))
-- 
2.25.1