From: Zhenyu Wang zhenyuw@linux.intel.com
commit 92b1aa773fadb4e2a90ed5d3beecb422d568ad9a upstream.
Correct valid command length check for MI_ATOMIC, need to check inline data available field instead of operand data length for whole command.
Fixes: 00a33be40634 ("drm/i915/gvt: Add valid length check for MI variable commands") Reported-by: Alex Williamson alex.williamson@redhat.com Acked-by: Gao Fred fred.gao@intel.com Cc: stable@vger.kernel.org Signed-off-by: Zhenyu Wang zhenyuw@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/i915/gvt/cmd_parser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -1597,9 +1597,9 @@ static int cmd_handler_mi_op_2f(struct p if (!(cmd_val(s, 0) & (1 << 22))) return ret;
- /* check if QWORD */ - if (DWORD_FIELD(0, 20, 19) == 1) - valid_len += 8; + /* check inline data */ + if (cmd_val(s, 0) & BIT(18)) + valid_len = CMD_LEN(9); ret = gvt_check_valid_cmd_length(cmd_length(s), valid_len); if (ret)