Commit 2f24636b authored by Changbin Du's avatar Changbin Du Committed by Zhenyu Wang

drm/i915/gvt: Fix the validation on size field of dp aux header

The assertion for len is wrong, so fix it. And for where to validate
user input, we should not warn by call trace.

[ 290.584739] WARNING: CPU: 0 PID: 1471 at drivers/gpu/drm/i915/gvt/handlers.c:969 dp_aux_ch_ctl_mmio_write+0x394/0x430 [i915]
[ 290.586113] task: ffff880111fe8000 task.stack: ffffc90044a9c000
[ 290.586192] RIP: e030:dp_aux_ch_ctl_mmio_write+0x394/0x430 [i915]
[ 290.586258] RSP: e02b:ffffc90044a9fd88 EFLAGS: 00010282
[ 290.586315] RAX: 0000000000000017 RBX: 0000000000000003 RCX: ffffffff82461148
[ 290.586391] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000201
[ 290.586468] RBP: ffffc90043ed1000 R08: 0000000000000248 R09: 00000000000003d8
[ 290.586544] R10: ffffc90044bdd314 R11: 0000000000000011 R12: 0000000000064310
[ 290.586621] R13: 00000000fe4003ff R14: ffffc900432d1008 R15: ffff88010fa7cb40
[ 290.586701] FS: 0000000000000000(0000) GS:ffff880123200000(0000) knlGS:0000000000000000
[ 290.586787] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 290.586849] CR2: 00007f67ea44e000 CR3: 0000000116078000 CR4: 0000000000042660
[ 290.586926] Call Trace:
[ 290.586958] ? __switch_to_asm+0x40/0x70
[ 290.587017] intel_vgpu_mmio_reg_rw+0x1ec/0x3c0 [i915]
[ 290.587087] intel_vgpu_emulate_mmio_write+0xa8/0x2c0 [i915]
[ 290.587151] xengt_emulation_thread+0x501/0x7a0 [xengt]
[ 290.587208] ? __schedule+0x3c6/0x890
[ 290.587250] ? wait_woken+0x80/0x80
[ 290.587290] kthread+0xfc/0x130
[ 290.587326] ? xengt_gpa_to_va+0x1f0/0x1f0 [xengt]
[ 290.587378] ? kthread_create_on_node+0x70/0x70
[ 290.587429] ? do_group_exit+0x3a/0xa0
[ 290.587471] ret_from_fork+0x35/0x40

Fixes: 04d348ae ("drm/i915/gvt: vGPU display virtualization")
Signed-off-by: default avatarChangbin Du <changbin.du@intel.com>
Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
parent ffdf16ed
...@@ -67,7 +67,7 @@ ...@@ -67,7 +67,7 @@
#define AUX_NATIVE_REPLY_NAK (0x1 << 4) #define AUX_NATIVE_REPLY_NAK (0x1 << 4)
#define AUX_NATIVE_REPLY_DEFER (0x2 << 4) #define AUX_NATIVE_REPLY_DEFER (0x2 << 4)
#define AUX_BURST_SIZE 16 #define AUX_BURST_SIZE 20
/* DPCD addresses */ /* DPCD addresses */
#define DPCD_REV 0x000 #define DPCD_REV 0x000
......
...@@ -898,11 +898,14 @@ static int dp_aux_ch_ctl_mmio_write(struct intel_vgpu *vgpu, ...@@ -898,11 +898,14 @@ static int dp_aux_ch_ctl_mmio_write(struct intel_vgpu *vgpu,
} }
/* /*
* Write request format: (command + address) occupies * Write request format: Headr (command + address + size) occupies
* 3 bytes, followed by (len + 1) bytes of data. * 4 bytes, followed by (len + 1) bytes of data. See details at
* intel_dp_aux_transfer().
*/ */
if (WARN_ON((len + 4) > AUX_BURST_SIZE)) if ((len + 1 + 4) > AUX_BURST_SIZE) {
gvt_vgpu_err("dp_aux_header: len %d is too large\n", len);
return -EINVAL; return -EINVAL;
}
/* unpack data from vreg to buf */ /* unpack data from vreg to buf */
for (t = 0; t < 4; t++) { for (t = 0; t < 4; t++) {
...@@ -966,8 +969,10 @@ static int dp_aux_ch_ctl_mmio_write(struct intel_vgpu *vgpu, ...@@ -966,8 +969,10 @@ static int dp_aux_ch_ctl_mmio_write(struct intel_vgpu *vgpu,
/* /*
* Read reply format: ACK (1 byte) plus (len + 1) bytes of data. * Read reply format: ACK (1 byte) plus (len + 1) bytes of data.
*/ */
if (WARN_ON((len + 2) > AUX_BURST_SIZE)) if ((len + 2) > AUX_BURST_SIZE) {
gvt_vgpu_err("dp_aux_header: len %d is too large\n", len);
return -EINVAL; return -EINVAL;
}
/* read from virtual DPCD to vreg */ /* read from virtual DPCD to vreg */
/* first 4 bytes: [ACK][addr][addr+1][addr+2] */ /* first 4 bytes: [ACK][addr][addr+1][addr+2] */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment