From: John Harrison John.C.Harrison@Intel.com
Some G2H handlers were reading the context id field from the payload before checking the payload met the minimum length required.
Signed-off-by: John Harrison John.C.Harrison@Intel.com Reviewed-by: Daniele Ceraolo Spurio daniele.ceraolospurio@intel.com --- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c index 5dbebf15fae1..a85e10af0d24 100644 --- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c @@ -3892,12 +3892,13 @@ int intel_guc_deregister_done_process_msg(struct intel_guc *guc, u32 len) { struct intel_context *ce; - u32 ctx_id = msg[0]; + u32 ctx_id;
if (unlikely(len < 1)) { drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len); return -EPROTO; } + ctx_id = msg[0];
ce = g2h_context_lookup(guc, ctx_id); if (unlikely(!ce)) @@ -3943,12 +3944,13 @@ int intel_guc_sched_done_process_msg(struct intel_guc *guc, { struct intel_context *ce; unsigned long flags; - u32 ctx_id = msg[0]; + u32 ctx_id;
if (unlikely(len < 2)) { drm_err(&guc_to_gt(guc)->i915->drm, "Invalid length %u\n", len); return -EPROTO; } + ctx_id = msg[0];
ce = g2h_context_lookup(guc, ctx_id); if (unlikely(!ce))