[Intel-gfx] [PATCH 8/8] drm/i915/guc: Fix potential invalid pointer dereferences when decoding G2Hs

[Ceraolo Spurio, Daniele]

On 2/17/2022 3:52 PM, John.C.Harrison at Intel.com wrote:
> From: John Harrison <John.C.Harrison at Intel.com>
>
> Some G2H handlers were reading the context id field from the payload
> before checking the payload met the minimum length required.
>
> Signed-off-by: John Harrison <John.C.Harrison at Intel.com>

Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio at intel.com>

While double-checking the other msg handler I noticed that we don't do 
any checks on len for intel_guc_log_handle_flush_event(). Not really 
relevant for this patch, just wondering out loud if we should add a 
check to make sure the message is not corrupted.

Daniele

> ---
>   drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
> index b70b1ff46418..ea17dca68674 100644
> --- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
> +++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
> @@ -3895,12 +3895,13 @@ int intel_guc_deregister_done_process_msg(struct intel_guc *guc,
>   					  u32 len)
>   {
>   	struct intel_context *ce;
> -	u32 ctx_id = msg[0];
> +	u32 ctx_id;
>   
>   	if (unlikely(len < 1)) {
>   		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
>   		return -EPROTO;
>   	}
> +	ctx_id = msg[0];
>   
>   	ce = g2h_context_lookup(guc, ctx_id);
>   	if (unlikely(!ce))
> @@ -3946,12 +3947,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc *guc,
>   {
>   	struct intel_context *ce;
>   	unsigned long flags;
> -	u32 ctx_id = msg[0];
> +	u32 ctx_id;
>   
>   	if (unlikely(len < 2)) {
>   		drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len);
>   		return -EPROTO;
>   	}
> +	ctx_id = msg[0];
>   
>   	ce = g2h_context_lookup(guc, ctx_id);
>   	if (unlikely(!ce))