58 lines
2.0 KiB
Diff
58 lines
2.0 KiB
Diff
From: Jon Bloomfield <jon.bloomfield@intel.com>
|
|
Date: Wed, 1 Aug 2018 09:45:50 -0700
|
|
Subject: drm/i915: Allow parsing of unsized batches
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155
|
|
|
|
commit 435e8fc059dbe0eec823a75c22da2972390ba9e0 upstream.
|
|
|
|
In "drm/i915: Add support for mandatory cmdparsing" we introduced the
|
|
concept of mandatory parsing. This allows the cmdparser to be invoked
|
|
even when user passes batch_len=0 to the execbuf ioctl's.
|
|
|
|
However, the cmdparser needs to know the extents of the buffer being
|
|
scanned. Refactor the code to ensure the cmdparser uses the actual
|
|
object size, instead of the incoming length, if user passes 0.
|
|
|
|
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
|
|
Cc: Tony Luck <tony.luck@intel.com>
|
|
Cc: Dave Airlie <airlied@redhat.com>
|
|
Cc: Takashi Iwai <tiwai@suse.de>
|
|
Cc: Tyler Hicks <tyhicks@canonical.com>
|
|
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
|
|
---
|
|
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
|
@@ -310,7 +310,8 @@ static inline u64 gen8_noncanonical_addr
|
|
static inline bool eb_use_cmdparser(const struct i915_execbuffer *eb)
|
|
{
|
|
return intel_engine_requires_cmd_parser(eb->engine) ||
|
|
- (intel_engine_using_cmd_parser(eb->engine) && eb->batch_len);
|
|
+ (intel_engine_using_cmd_parser(eb->engine) &&
|
|
+ eb->args->batch_len);
|
|
}
|
|
|
|
static int eb_create(struct i915_execbuffer *eb)
|
|
@@ -2341,6 +2342,9 @@ i915_gem_do_execbuffer(struct drm_device
|
|
goto err_vma;
|
|
}
|
|
|
|
+ if (eb.batch_len == 0)
|
|
+ eb.batch_len = eb.batch->size - eb.batch_start_offset;
|
|
+
|
|
if (eb_use_cmdparser(&eb)) {
|
|
struct i915_vma *vma;
|
|
|
|
@@ -2351,9 +2355,6 @@ i915_gem_do_execbuffer(struct drm_device
|
|
}
|
|
}
|
|
|
|
- if (eb.batch_len == 0)
|
|
- eb.batch_len = eb.batch->size - eb.batch_start_offset;
|
|
-
|
|
/*
|
|
* snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
|
|
* batch" bit. Hence we need to pin secure batches into the global gtt.
|