Quoting Michal Wajdeczko (2017-08-04 17:27:09)
> static inline const char *guc_ct_buffer_type_to_str(u32 type)
> @@ -600,13 +609,76 @@ static int guc_handle_response(struct intel_guc *guc, const u32 *data)
> static int guc_handle_request(struct intel_guc *guc, const u32 *data)
> {
> u32 header = data[0];
> + u32 len = ct_header_get_len(header) + 1; /* total len with header */
> + struct ct_incoming_request *request;
> + unsigned long flags;
>
> GEM_BUG_ON(ct_header_is_response(header));
> /* data layout beyond header is request specific */
>
> + request = kmalloc(sizeof(*request), GFP_ATOMIC);
> + if (unlikely(!request)) {
> + DRM_ERROR("CT: dropping request %*phn\n", 4*len, data);
> + return 0; /* XXX: -ENOMEM ? */
> + }
> +
> + GEM_BUG_ON(len > GUC_CT_MSG_LEN_MASK + 1);
This is incoming from the guc, if we can validate it, do so. Keep
GEM_BUG_ON() for programming errors and absolute catastrophe.
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
