From: "Timur Kristóf" <timur.kristof@gmail.com>
To: amd-gfx@lists.freedesktop.org, alexander.deucher@amd.com,
christian.koenig@amd.com, John Olender <john.olender@gmail.com>
Cc: "Timur Kristóf" <timur.kristof@gmail.com>
Subject: [PATCH 08/11] drm/amdgpu/vce: Check maximum ucode size in amdgpu_vce_resume()
Date: Thu, 23 Apr 2026 03:16:11 +0200 [thread overview]
Message-ID: <20260423011614.309180-9-timur.kristof@gmail.com> (raw)
In-Reply-To: <20260423011614.309180-1-timur.kristof@gmail.com>
Verify that the ucode fits the part of the BO that is
specifically meant for it to avoid overflowing it.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 5 ++++-
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h | 2 +-
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 4 ++--
drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 4 ++--
drivers/gpu/drm/amd/amdgpu/vce_v4_0.c | 4 ++--
5 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
index efdebd9c0a1f3..8c620254f0374 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
@@ -324,7 +324,7 @@ int amdgpu_vce_suspend(struct amdgpu_device *adev)
* @adev: amdgpu_device pointer
*
*/
-int amdgpu_vce_resume(struct amdgpu_device *adev)
+int amdgpu_vce_resume(struct amdgpu_device *adev, const unsigned long max_size)
{
const struct common_firmware_header *hdr;
unsigned int offset;
@@ -336,6 +336,9 @@ int amdgpu_vce_resume(struct amdgpu_device *adev)
hdr = (const struct common_firmware_header *)adev->vce.fw->data;
offset = le32_to_cpu(hdr->ucode_array_offset_bytes);
+ if (adev->vce.fw->size - offset > max_size)
+ return -EINVAL;
+
if (drm_dev_enter(adev_to_drm(adev), &idx)) {
memset_io(adev->vce.cpu_addr, 0, amdgpu_bo_size(adev->vce.vcpu_bo));
memcpy_toio(adev->vce.cpu_addr, adev->vce.fw->data + offset,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h
index 778c714c8385d..a57e2f6f5f930 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h
@@ -60,7 +60,7 @@ int amdgpu_vce_sw_init(struct amdgpu_device *adev, unsigned long size);
int amdgpu_vce_sw_fini(struct amdgpu_device *adev);
int amdgpu_vce_entity_init(struct amdgpu_device *adev, struct amdgpu_ring *ring);
int amdgpu_vce_suspend(struct amdgpu_device *adev);
-int amdgpu_vce_resume(struct amdgpu_device *adev);
+int amdgpu_vce_resume(struct amdgpu_device *adev, const unsigned long max_size);
void amdgpu_vce_free_handles(struct amdgpu_device *adev, struct drm_file *filp);
int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
struct amdgpu_ib *ib);
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
index db149eda62044..00b4037d4bc89 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
@@ -437,7 +437,7 @@ static int vce_v2_0_sw_init(struct amdgpu_ip_block *ip_block)
if (r)
return r;
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V2_0_FW_SIZE);
if (r)
return r;
@@ -533,7 +533,7 @@ static int vce_v2_0_resume(struct amdgpu_ip_block *ip_block)
{
int r;
- r = amdgpu_vce_resume(ip_block->adev);
+ r = amdgpu_vce_resume(ip_block->adev, VCE_V2_0_FW_SIZE);
if (r)
return r;
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c
index 03d79e464f04f..2e97376ff30e5 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c
@@ -440,7 +440,7 @@ static int vce_v3_0_sw_init(struct amdgpu_ip_block *ip_block)
if (adev->vce.fw_version < FW_52_8_3)
adev->vce.num_rings = 2;
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V3_0_FW_SIZE);
if (r)
return r;
@@ -544,7 +544,7 @@ static int vce_v3_0_resume(struct amdgpu_ip_block *ip_block)
{
int r;
- r = amdgpu_vce_resume(ip_block->adev);
+ r = amdgpu_vce_resume(ip_block->adev, VCE_V3_0_FW_SIZE);
if (r)
return r;
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c
index ee445d8abe474..3309e7b8f2a2e 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c
@@ -462,7 +462,7 @@ static int vce_v4_0_sw_init(struct amdgpu_ip_block *ip_block)
ALIGN(le32_to_cpu(hdr->ucode_size_bytes), PAGE_SIZE);
drm_info(adev_to_drm(adev), "PSP loading VCE firmware\n");
} else {
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V4_0_FW_SIZE);
if (r)
return r;
}
@@ -624,7 +624,7 @@ static int vce_v4_0_resume(struct amdgpu_ip_block *ip_block)
drm_dev_exit(idx);
}
} else {
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V4_0_FW_SIZE);
if (r)
return r;
}
--
2.53.0
next prev parent reply other threads:[~2026-04-23 1:16 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 1:16 [PATCH 00/11] VCE1 fixes (v2) Timur Kristóf
2026-04-23 1:16 ` [PATCH 01/11] drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti Timur Kristóf
2026-04-23 11:04 ` Christian König
2026-04-23 12:18 ` Timur Kristóf
2026-04-23 13:32 ` Christian König
2026-04-23 1:16 ` [PATCH 02/11] drm/amdgpu/vce1: Check that the GPU address is < 128 MiB Timur Kristóf
2026-04-23 11:06 ` Christian König
2026-04-23 1:16 ` [PATCH 03/11] drm/amdgpu/vce1: Remove superfluous address check Timur Kristóf
2026-04-23 1:16 ` [PATCH 04/11] drm/amdgpu/vce1: Check if VRAM address is lower than GART Timur Kristóf
2026-04-23 1:16 ` [PATCH 05/11] drm/amdgpu/vce1: Don't repeat GTT MGR node allocation Timur Kristóf
2026-04-23 1:16 ` [PATCH 06/11] drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets Timur Kristóf
2026-04-23 11:12 ` Christian König
2026-04-23 1:16 ` [PATCH 07/11] drm/amdgpu/vce1: Stop using amdgpu_vce_resume Timur Kristóf
2026-04-23 11:13 ` Christian König
2026-04-23 1:16 ` Timur Kristóf [this message]
2026-04-23 1:16 ` [PATCH 09/11] drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets Timur Kristóf
2026-04-23 11:28 ` Christian König
2026-04-23 18:10 ` John Olender
2026-04-23 1:16 ` [PATCH 10/11] drm/amdgpu/vce3: Fix VCE 3 " Timur Kristóf
2026-04-23 11:29 ` Christian König
2026-04-23 1:16 ` [PATCH 11/11] drm/amdgpu/vce4: Fix VCE 4 " Timur Kristóf
2026-04-23 11:31 ` Christian König
2026-04-23 11:50 ` Timur Kristóf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260423011614.309180-9-timur.kristof@gmail.com \
--to=timur.kristof@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=john.olender@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.