When MI_FLUSH_DW post write hw status page in index mode, the index value is in dword step. This fixes wrong qword step in cmd parser code which incorrectly stopped VM for invalid MI_FLUSH_DW write index.
Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner") Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Zhenyu Wang zhenyuw@linux.intel.com --- drivers/gpu/drm/i915/gvt/cmd_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c index 35b4ec3f7618..d42f7a2dc82f 100644 --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -1441,7 +1441,7 @@ static inline int cmd_address_audit(struct parser_exec_state *s, }
if (index_mode) { - if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u64)) { + if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u32)) { ret = -EFAULT; goto err; }
Do we need to check whether the index is in DWORD or QWORD, which is specified in DWORD 0 of the command?
BTW, maybe we also need to check whether gma is QWORD aligned ?
-----Original Message----- From: intel-gvt-dev [mailto:intel-gvt-dev-bounces@lists.freedesktop.org] On Behalf Of Zhenyu Wang Sent: Monday, February 18, 2019 2:47 PM To: intel-gvt-dev@lists.freedesktop.org Cc: stable@vger.kernel.org Subject: [PATCH] drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check
When MI_FLUSH_DW post write hw status page in index mode, the index value is in dword step. This fixes wrong qword step in cmd parser code which incorrectly stopped VM for invalid MI_FLUSH_DW write index.
Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner") Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Zhenyu Wang zhenyuw@linux.intel.com
drivers/gpu/drm/i915/gvt/cmd_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c index 35b4ec3f7618..d42f7a2dc82f 100644 --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -1441,7 +1441,7 @@ static inline int cmd_address_audit(struct parser_exec_state *s, }
if (index_mode) {
if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u64)) {
if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u32)) { ret = -EFAULT; goto err;-- 2.20.1
intel-gvt-dev mailing list intel-gvt-dev@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gvt-dev
On 2019.02.19 03:30:43 +0000, Zhao, Yan Y wrote:
Do we need to check whether the index is in DWORD or QWORD, which is specified in DWORD 0 of the command?
That is for MI_FLUSH_DW cmd length instead of index size I believe. And index is always Qword aligned, but take steps of u32. So this patch is to fix the upper bound.
BTW, maybe we also need to check whether gma is QWORD aligned ?
Current code did masking on it before checking gma..
-----Original Message----- From: intel-gvt-dev [mailto:intel-gvt-dev-bounces@lists.freedesktop.org] On Behalf Of Zhenyu Wang Sent: Monday, February 18, 2019 2:47 PM To: intel-gvt-dev@lists.freedesktop.org Cc: stable@vger.kernel.org Subject: [PATCH] drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check
When MI_FLUSH_DW post write hw status page in index mode, the index value is in dword step. This fixes wrong qword step in cmd parser code which incorrectly stopped VM for invalid MI_FLUSH_DW write index.
Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner") Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Zhenyu Wang zhenyuw@linux.intel.com
drivers/gpu/drm/i915/gvt/cmd_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c index 35b4ec3f7618..d42f7a2dc82f 100644 --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -1441,7 +1441,7 @@ static inline int cmd_address_audit(struct parser_exec_state *s, }
if (index_mode) {
if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u64)) {
if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u32)) { ret = -EFAULT; goto err;-- 2.20.1
intel-gvt-dev mailing list intel-gvt-dev@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gvt-dev
intel-gvt-dev mailing list intel-gvt-dev@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gvt-dev
When MI_FLUSH_DW post write hw status page in index mode, the index value is in dword step and turned into address offset in cmd dword1. As status page size is 4K, so can't exceed that.
This fixed upper bound check in cmd parser code which incorrectly stopped VM for reason of invalid MI_FLUSH_DW write index.
v2: - Fix upper bound as 4K page size because index value is address offset.
Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner") Cc: stable@vger.kernel.org # v4.10+ Cc: "Zhao, Yan Y" yan.y.zhao@intel.com Signed-off-by: Zhenyu Wang zhenyuw@linux.intel.com --- drivers/gpu/drm/i915/gvt/cmd_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c index 35b4ec3f7618..3592d04c33b2 100644 --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -1441,7 +1441,7 @@ static inline int cmd_address_audit(struct parser_exec_state *s, }
if (index_mode) { - if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u64)) { + if (guest_gma >= I915_GTT_PAGE_SIZE) { ret = -EFAULT; goto err; }
Looks good to me.
Reviewed-by: Yan Zhao yan.y.zhao@intel.com
On Wed, Feb 20, 2019 at 04:25:04PM +0800, Zhenyu Wang wrote:
When MI_FLUSH_DW post write hw status page in index mode, the index value is in dword step and turned into address offset in cmd dword1. As status page size is 4K, so can't exceed that.
This fixed upper bound check in cmd parser code which incorrectly stopped VM for reason of invalid MI_FLUSH_DW write index.
v2:
- Fix upper bound as 4K page size because index value is address offset.
Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner") Cc: stable@vger.kernel.org # v4.10+ Cc: "Zhao, Yan Y" yan.y.zhao@intel.com Signed-off-by: Zhenyu Wang zhenyuw@linux.intel.com
drivers/gpu/drm/i915/gvt/cmd_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c index 35b4ec3f7618..3592d04c33b2 100644 --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -1441,7 +1441,7 @@ static inline int cmd_address_audit(struct parser_exec_state *s, } if (index_mode) {
if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u64)) {
if (guest_gma >= I915_GTT_PAGE_SIZE) { ret = -EFAULT; goto err;-- 2.20.1
Hi,
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag, fixing commit: be1da7070aea drm/i915/gvt: vGPU command scanner.
The bot has tested the following trees: v4.20.11, v4.19.24, v4.14.102.
v4.14.102: Failed to apply! Possible dependencies: 0a53bc07f044 ("drm/i915/gvt: Separate cmd scan from request allocation") 0cce2823ed37 ("drm/i915/gvt: Refine error handling for prepare_execlist_workload") 1406a14b0ed9 ("drm/i915/gvt: Introduce intel_vgpu_submission") 1e3197d6ad73 ("drm/i915/gvt: Refine error handling for perform_bb_shadow") 21527a8dafc4 ("drm/i915/gvt: Factor out vGPU workload creation/destroy") 54cff6479fd8 ("drm/i915/gvt: Make elsp_dwords in the right order") 5c56883a9531 ("drm/i915/gvt: Change the return type during command scan") 5d5fe176155e ("drm/i915/kvmgt: Sanitize PCI bar emulation") 6d76303553ba ("drm/i915/gvt: Move common vGPU workload creation into scheduler.c") 7d1e5cdf0178 ("drm/i915/gvt: Factor intel_vgpu_page_track") 9556e1188892 ("drm/i915/gvt: Use I915_GTT_PAGE_SIZE") 9a9829e9eb8b ("drm/i915/gvt: Move workload cache init/clean into intel_vgpu_{setup, clean}_submission()") f090a00df9ec ("drm/i915/gvt: Add emulation for BAR2 (aperture) with normal file RW approach")
How should we proceed with this patch?
-- Thanks, Sasha
Hi,
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag, fixing commit: be1da7070aea drm/i915/gvt: vGPU command scanner.
The bot has tested the following trees: v4.20.11, v4.19.24, v4.14.102.
v4.14.102: Failed to apply! Possible dependencies: 0a53bc07f044 ("drm/i915/gvt: Separate cmd scan from request allocation") 0cce2823ed37 ("drm/i915/gvt: Refine error handling for prepare_execlist_workload") 1406a14b0ed9 ("drm/i915/gvt: Introduce intel_vgpu_submission") 1e3197d6ad73 ("drm/i915/gvt: Refine error handling for perform_bb_shadow") 21527a8dafc4 ("drm/i915/gvt: Factor out vGPU workload creation/destroy") 54cff6479fd8 ("drm/i915/gvt: Make elsp_dwords in the right order") 5c56883a9531 ("drm/i915/gvt: Change the return type during command scan") 5d5fe176155e ("drm/i915/kvmgt: Sanitize PCI bar emulation") 6d76303553ba ("drm/i915/gvt: Move common vGPU workload creation into scheduler.c") 7d1e5cdf0178 ("drm/i915/gvt: Factor intel_vgpu_page_track") 9556e1188892 ("drm/i915/gvt: Use I915_GTT_PAGE_SIZE") 9a9829e9eb8b ("drm/i915/gvt: Move workload cache init/clean into intel_vgpu_{setup, clean}_submission()") f090a00df9ec ("drm/i915/gvt: Add emulation for BAR2 (aperture) with normal file RW approach")
How should we proceed with this patch?
-- Thanks, Sasha
linux-stable-mirror@lists.linaro.org
-
Sasha Levin -
Zhao Yan -
Zhao, Yan Y
-
Zhenyu Wang