From 6b5f15445c8d07945e6f209b404fb89968374e88 Mon Sep 17 00:00:00 2001 From: Michal Wajdeczko Date: Tue, 5 Nov 2024 18:30:31 +0100 Subject: [PATCH] drm/xe/guc: Don't read data from G2H prior to length check While highly unlikely, incoming G2H message might be too short so we shouldn't read any data from it prior to checking a length. Signed-off-by: Michal Wajdeczko Cc: Matthew Brost Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241105173032.1947-4-michal.wajdeczko@intel.com --- drivers/gpu/drm/xe/xe_guc_submit.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index 315cac196f26..37d4ad8e4f5c 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -1883,12 +1883,14 @@ static void handle_sched_done(struct xe_guc *guc, struct xe_exec_queue *q, int xe_guc_sched_done_handler(struct xe_guc *guc, u32 *msg, u32 len) { struct xe_exec_queue *q; - u32 guc_id = msg[0]; - u32 runnable_state = msg[1]; + u32 guc_id, runnable_state; if (unlikely(len < 2)) return -EPROTO; + guc_id = msg[0]; + runnable_state = msg[1]; + q = g2h_exec_queue_lookup(guc, guc_id); if (unlikely(!q)) return -EPROTO; @@ -1922,11 +1924,13 @@ static void handle_deregister_done(struct xe_guc *guc, struct xe_exec_queue *q) int xe_guc_deregister_done_handler(struct xe_guc *guc, u32 *msg, u32 len) { struct xe_exec_queue *q; - u32 guc_id = msg[0]; + u32 guc_id; if (unlikely(len < 1)) return -EPROTO; + guc_id = msg[0]; + q = g2h_exec_queue_lookup(guc, guc_id); if (unlikely(!q)) return -EPROTO; @@ -1948,11 +1952,13 @@ int xe_guc_exec_queue_reset_handler(struct xe_guc *guc, u32 *msg, u32 len) { struct xe_gt *gt = guc_to_gt(guc); struct xe_exec_queue *q; - u32 guc_id = msg[0]; + u32 guc_id; if (unlikely(len < 1)) return -EPROTO; + guc_id = msg[0]; + q = g2h_exec_queue_lookup(guc, guc_id); if (unlikely(!q)) return -EPROTO; @@ -2008,11 +2014,13 @@ int xe_guc_exec_queue_memory_cat_error_handler(struct xe_guc *guc, u32 *msg, { struct xe_gt *gt = guc_to_gt(guc); struct xe_exec_queue *q; - u32 guc_id = msg[0]; + u32 guc_id; if (unlikely(len < 1)) return -EPROTO; + guc_id = msg[0]; + q = g2h_exec_queue_lookup(guc, guc_id); if (unlikely(!q)) return -EPROTO; -- 2.20.1