Quoting Michal Srb (2018-02-05 14:29:16) > The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is > possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. > In that case check_cmd will read bits from the following command, or even past > the end of the buffer. > > Similarly to how registers are checked - if the offset ends up outside of the > command length, just ignore it. > > Signed-off-by: Michal Srb <msrb@xxxxxxxx> > --- > drivers/gpu/drm/i915/i915_cmd_parser.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c > index de7ec59433d1..827740b866a8 100644 > --- a/drivers/gpu/drm/i915/i915_cmd_parser.c > +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c > @@ -1218,6 +1218,9 @@ static bool check_cmd(const struct intel_engine_cs *engine, > continue; > } > > + if (desc->bits[i].offset >= length) > + continue; Should be return false since the command can't be validated. -Chris _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
