Signed-off-by: Jordan Justen <[email protected]>
---
.../gpu/drm/i915/gt/uc/intel_guc_hwconfig.c | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
b/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
index ce6088f112d4..695ef7a8f519 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
@@ -71,6 +71,26 @@ static int guc_hwconfig_discover_size(struct
intel_guc_hwconfig *hwconfig)
return 0;
}
+static int verify_hwconfig_blob(const struct intel_guc_hwconfig *hwconfig)
+{
+ if (hwconfig->size % 4 != 0 || hwconfig->ptr == NULL)
+ return -EINVAL;
+
+ struct drm_i915_query_hwconfig_blob_item *pos = hwconfig->ptr;
+ u32 remaining = (hwconfig->size / 4);
+ while (remaining > 0) {
+ if (remaining < 2)
+ return -EINVAL;
+ if (pos->length > remaining - 2)
+ return -EINVAL;
+ remaining -= 2 + pos->length;
+ pos = (void *)&pos->data[pos->length];
+ }
+
+ DRM_INFO("hwconfig blob format appears valid\n");
+ return 0;
+}
+
static int guc_hwconfig_fill_buffer(struct intel_guc_hwconfig *hwconfig)
{
struct intel_guc *guc = hwconfig_to_guc(hwconfig);
@@ -91,6 +111,12 @@ static int guc_hwconfig_fill_buffer(struct
intel_guc_hwconfig *hwconfig)
if (ret >= 0)
memcpy(hwconfig->ptr, vaddr, hwconfig->size);
+ if (verify_hwconfig_blob(hwconfig)) {
+ DRM_ERROR("Ignoring invalid hwconfig blob received from "
+ "GuC!\n");
+ return -EINVAL;
+ }
+
i915_vma_unpin_and_release(&vma, I915_VMA_RELEASE_MAP);
return ret;
--
2.34.1
