Signed-off-by: Jordan Justen <jordan.l.justen@xxxxxxxxx> --- .../gpu/drm/i915/gt/uc/intel_guc_hwconfig.c | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c index ce6088f112d4..695ef7a8f519 100644 --- a/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c +++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_hwconfig.c @@ -71,6 +71,26 @@ static int guc_hwconfig_discover_size(struct intel_guc_hwconfig *hwconfig) return 0; } +static int verify_hwconfig_blob(const struct intel_guc_hwconfig *hwconfig) +{ + if (hwconfig->size % 4 != 0 || hwconfig->ptr == NULL) + return -EINVAL; + + struct drm_i915_query_hwconfig_blob_item *pos = hwconfig->ptr; + u32 remaining = (hwconfig->size / 4); + while (remaining > 0) { + if (remaining < 2) + return -EINVAL; + if (pos->length > remaining - 2) + return -EINVAL; + remaining -= 2 + pos->length; + pos = (void *)&pos->data[pos->length]; + } + + DRM_INFO("hwconfig blob format appears valid\n"); + return 0; +} + static int guc_hwconfig_fill_buffer(struct intel_guc_hwconfig *hwconfig) { struct intel_guc *guc = hwconfig_to_guc(hwconfig); @@ -91,6 +111,12 @@ static int guc_hwconfig_fill_buffer(struct intel_guc_hwconfig *hwconfig) if (ret >= 0) memcpy(hwconfig->ptr, vaddr, hwconfig->size); + if (verify_hwconfig_blob(hwconfig)) { + DRM_ERROR("Ignoring invalid hwconfig blob received from " + "GuC!\n"); + return -EINVAL; + } + i915_vma_unpin_and_release(&vma, I915_VMA_RELEASE_MAP); return ret; -- 2.34.1