UBUNTU: SAUCE: drm/i915: Allow parsing of unsized batches

CVE-2019-0155

In "drm/i915: Add support for mandatory cmdparsing" we introduced the
concept of mandatory parsing. This allows the cmdparser to be invoked
even when user passes batch_len=0 to the execbuf ioctl's.

However, the cmdparser needs to know the extents of the buffer being
scanned. Refactor the code to ensure the cmdparser uses the actual
object size, instead of the incoming length, if user passes 0.

Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
[tyhicks: Backport to 5.0
 - i915_gem_execbuffer.c is higher up one directory level]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Timo Aaltonen <tjaalton@ubuntu.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 3b8629b97776b3e7198c0cfc77c4c1d2b3c82754..5a18a623b7737f5ccd5ccb08ac06b3946465b0d8 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -312,7 +312,8 @@ static inline u64 gen8_noncanonical_addr(u64 address)
 static inline bool eb_use_cmdparser(const struct i915_execbuffer *eb)
 {
        return intel_engine_requires_cmd_parser(eb->engine) ||
-               (intel_engine_using_cmd_parser(eb->engine) && eb->batch_len);
+               (intel_engine_using_cmd_parser(eb->engine) &&
+                eb->args->batch_len);
 }
 
 static int eb_create(struct i915_execbuffer *eb)
@@ -2351,6 +2352,9 @@ i915_gem_do_execbuffer(struct drm_device *dev,
                goto err_vma;
        }
 
+       if (eb.batch_len == 0)
+               eb.batch_len = eb.batch->size - eb.batch_start_offset;
+
        if (eb_use_cmdparser(&eb)) {
                struct i915_vma *vma;
 
@@ -2361,9 +2365,6 @@ i915_gem_do_execbuffer(struct drm_device *dev,
                }
        }
 
-       if (eb.batch_len == 0)
-               eb.batch_len = eb.batch->size - eb.batch_start_offset;
-
        /*
         * snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
         * batch" bit. Hence we need to pin secure batches into the global gtt.