i915_drm.h now defines the format of the returned
DRM_I915_QUERY_HWCONFIG_BLOB query item. Since i915 receives this from
the black box GuC software, it should verify that the data matches
that format before sending it to user-space.
The verification makes a single simple pass through the blob contents,
so this verification step should not add a significant amount of init
time to i915.
Signed-off-by: Jordan Justen <jordan.l.jus...@intel.com>
---
.../gpu/drm/i915/gt/uc/intel_guc_hwconfig.c | 29 +++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
b/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
index ce6088f112d4..6208246d4209 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c
@@ -71,6 +71,29 @@ static int guc_hwconfig_discover_size(struct
intel_guc_hwconfig *hwconfig)
return 0;
}
+static int verify_hwconfig_blob(const struct intel_guc_hwconfig *hwconfig)
+{
+ struct drm_i915_query_hwconfig_blob_item *pos;
+ u32 remaining;
+
+ if (hwconfig->size % 4 != 0 || hwconfig->ptr == NULL)
+ return -EINVAL;
+
+ pos = hwconfig->ptr;
+ remaining = (hwconfig->size / 4);
+ while (remaining > 0) {
+ if (remaining < 2)
+ return -EINVAL;
+ if (pos->length > remaining - 2)
+ return -EINVAL;
+ remaining -= 2 + pos->length;
+ pos = (void *)&pos->data[pos->length];
+ }
+
+ DRM_INFO("hwconfig blob format appears valid\n");
+ return 0;
+}
+
static int guc_hwconfig_fill_buffer(struct intel_guc_hwconfig *hwconfig)
{
struct intel_guc *guc = hwconfig_to_guc(hwconfig);
@@ -91,6 +114,12 @@ static int guc_hwconfig_fill_buffer(struct
intel_guc_hwconfig *hwconfig)
if (ret >= 0)
memcpy(hwconfig->ptr, vaddr, hwconfig->size);
+ if (verify_hwconfig_blob(hwconfig)) {
+ DRM_ERROR("Ignoring invalid hwconfig blob received from "
+ "GuC!\n");
+ return -EINVAL;
+ }
+
i915_vma_unpin_and_release(&vma, I915_VMA_RELEASE_MAP);
return ret;
--
2.34.1
