[PATCH] drm/i915/gvt: Double check batch buffer size after copy

[Yan Zhao]

On Fri, May 24, 2019 at 02:39:54PM +0800, Tina Zhang wrote:
> Double check the size of the privilege buffer to make sure the size
> remains unchanged after copy.
> 
> Signed-off-by: Tina Zhang <tina.zhang at intel.com>
> ---
>  drivers/gpu/drm/i915/gvt/cmd_parser.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c
> index ab002cfd3cab..96dade32a33c 100644
> --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
> +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
> @@ -1717,7 +1717,7 @@ static int perform_bb_shadow(struct parser_exec_state *s)
>  	struct intel_vgpu *vgpu = s->vgpu;
>  	struct intel_vgpu_shadow_bb *bb;
>  	unsigned long gma = 0;
> -	unsigned long bb_size;
> +	unsigned long bb_size, check_bb_size;
>  	int ret = 0;
>  	struct intel_vgpu_mm *mm = (s->buf_addr_type == GTT_BUFFER) ?
>  		s->vgpu->gtt.ggtt_mm : s->workload->shadow_mm;
> @@ -1783,6 +1783,16 @@ static int perform_bb_shadow(struct parser_exec_state *s)
>  		goto err_unmap;
>  	}
>  
> +	ret = find_bb_size(s, &check_bb_size);
> +	if (ret)
> +		goto err_unmap;
> +
can just check whether the batch buffer is ended with bb start or bb end to
avoid calling find_bb_size() twice, which is a rather heavy call and may cause
endless loop in itself if max size limit is not imposed.


> +	if (check_bb_size != bb_size) {
> +		gvt_vgpu_err("guest ring buffer has been changed\n");
> +		ret = -EINVAL;
> +		goto err_unmap;
> +	}
> +
>  	INIT_LIST_HEAD(&bb->list);
>  	list_add(&bb->list, &s->workload->shadow_bb);
>  
> -- 
> 2.17.1
> 
> _______________________________________________
> intel-gvt-dev mailing list
> intel-gvt-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gvt-dev