From: Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx>
commit 92b1aa773fadb4e2a90ed5d3beecb422d568ad9a upstream.
Correct valid command length check for MI_ATOMIC, need to check inline
data available field instead of operand data length for whole command.
Fixes: 00a33be40634 ("drm/i915/gvt: Add valid length check for MI variable commands")
Reported-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
Acked-by: Gao Fred <fred.gao@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/gpu/drm/i915/gvt/cmd_parser.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
+++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
@@ -1597,9 +1597,9 @@ static int cmd_handler_mi_op_2f(struct p
if (!(cmd_val(s, 0) & (1 << 22)))
return ret;
- /* check if QWORD */
- if (DWORD_FIELD(0, 20, 19) == 1)
- valid_len += 8;
+ /* check inline data */
+ if (cmd_val(s, 0) & BIT(18))
+ valid_len = CMD_LEN(9);
ret = gvt_check_valid_cmd_length(cmd_length(s),
valid_len);
if (ret)
