[PATCH] drm/i915/gvt: Double check batch buffer size after copy

[Tina Zhang]

Double check the size of the privilege buffer to make sure the size
remains unchanged after copy.

Signed-off-by: Tina Zhang <tina.zhang at intel.com>
---
 drivers/gpu/drm/i915/gvt/cmd_parser.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c
index ab002cfd3cab..96dade32a33c 100644
--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
+++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
@@ -1717,7 +1717,7 @@ static int perform_bb_shadow(struct parser_exec_state *s)
 	struct intel_vgpu *vgpu = s->vgpu;
 	struct intel_vgpu_shadow_bb *bb;
 	unsigned long gma = 0;
-	unsigned long bb_size;
+	unsigned long bb_size, check_bb_size;
 	int ret = 0;
 	struct intel_vgpu_mm *mm = (s->buf_addr_type == GTT_BUFFER) ?
 		s->vgpu->gtt.ggtt_mm : s->workload->shadow_mm;
@@ -1783,6 +1783,16 @@ static int perform_bb_shadow(struct parser_exec_state *s)
 		goto err_unmap;
 	}
 
+	ret = find_bb_size(s, &check_bb_size);
+	if (ret)
+		goto err_unmap;
+
+	if (check_bb_size != bb_size) {
+		gvt_vgpu_err("guest ring buffer has been changed\n");
+		ret = -EINVAL;
+		goto err_unmap;
+	}
+
 	INIT_LIST_HEAD(&bb->list);
 	list_add(&bb->list, &s->workload->shadow_bb);
 
-- 
2.17.1