drm/amd/ras: bound CPER record fetch buffer size

Bound CPER record fetch allocation by buffer size.

v2: Drop redundant cap on cper_num and raise
    GET_CPER_RECORD max buffer size.

Suggested-by: YiPeng Chai <YiPeng.Chai@amd.com>
Signed-off-by: Candice Li <candice.li@amd.com>
Reviewed-by: Tao Zhou <tao.zhou1@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c b/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c
index 4021259115ccb4e14ff66f90ac73ceb2870d4d40..daad99a46263d5f6bd02f71311d66f6706b08ab7 100644 (file)
--- a/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c
+++ b/drivers/gpu/drm/amd/ras/ras_mgr/amdgpu_virt_ras_cmd.c
@@ -264,7 +264,8 @@ static int amdgpu_virt_ras_get_cper_records(struct ras_core_context *ras_core,
        if (cmd->input_size != sizeof(struct ras_cmd_cper_record_req))
                return RAS_CMD__ERROR_INVALID_INPUT_SIZE;
 
-       if (!req->buf_size || !req->buf_ptr || !req->cper_num)
+       if (!req->buf_size || !req->buf_ptr || !req->cper_num ||
+           req->buf_size > RAS_CMD_MAX_CPER_BUF_SZ)
                return RAS_CMD__ERROR_INVALID_INPUT_DATA;
 
        trace = kzalloc_objs(*trace, MAX_RECORD_PER_BATCH);

diff --git a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c
index 4f89810d85a15eff2e2d2f11a423634b0ee68199..8303aecf91ba71823f4ce627f437a52294a820d5 100644 (file)
--- a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c
+++ b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.c
@@ -214,7 +214,8 @@ static int ras_cmd_get_cper_records(struct ras_core_context *ras_core,
        if (cmd->input_size != sizeof(struct ras_cmd_cper_record_req))
                return RAS_CMD__ERROR_INVALID_INPUT_SIZE;
 
-       if (!req->buf_size || !req->buf_ptr || !req->cper_num)
+       if (!req->buf_size || !req->buf_ptr || !req->cper_num ||
+           req->buf_size > RAS_CMD_MAX_CPER_BUF_SZ)
                return RAS_CMD__ERROR_INVALID_INPUT_DATA;
 
        buffer = kzalloc(req->buf_size, GFP_KERNEL);

diff --git a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h
index 7ea35a02898742c372d02542286a603ed64d3b8b..a1d4b8b028412bcd48db2bb0e798349d91a17323 100644 (file)
--- a/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h
+++ b/drivers/gpu/drm/amd/ras/rascore/ras_cmd.h
@@ -405,6 +405,9 @@ struct batch_ras_trace_info {
 
 #define RAS_CMD_MAX_BATCH_NUM  300
 #define RAS_CMD_MAX_TRACE_NUM  300
+
+/* Upper bounds for RAS_CMD__GET_CPER_RECORD to limit kernel allocations and work. */
+#define RAS_CMD_MAX_CPER_BUF_SZ        (2 * 1024U * 1024U) /* 2 MiB */
 struct ras_cmd_batch_trace_record_rsp {
        uint32_t version;
        uint16_t real_batch_num;