From: "Timur Kristóf" <timur.kristof@gmail.com>
To: amd-gfx@lists.freedesktop.org, alexander.deucher@amd.com,
christian.koenig@amd.com, John Olender <john.olender@gmail.com>
Cc: "Timur Kristóf" <timur.kristof@gmail.com>
Subject: [PATCH 08/11] drm/amdgpu/vce: Check maximum ucode size in amdgpu_vce_resume()
Date: Thu, 23 Apr 2026 03:16:11 +0200 [thread overview]
Message-ID: <20260423011614.309180-9-timur.kristof@gmail.com> (raw)
In-Reply-To: <20260423011614.309180-1-timur.kristof@gmail.com>
Verify that the ucode fits the part of the BO that is
specifically meant for it to avoid overflowing it.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 5 ++++-
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h | 2 +-
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 4 ++--
drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 4 ++--
drivers/gpu/drm/amd/amdgpu/vce_v4_0.c | 4 ++--
5 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
index efdebd9c0a1f3..8c620254f0374 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
@@ -324,7 +324,7 @@ int amdgpu_vce_suspend(struct amdgpu_device *adev)
* @adev: amdgpu_device pointer
*
*/
-int amdgpu_vce_resume(struct amdgpu_device *adev)
+int amdgpu_vce_resume(struct amdgpu_device *adev, const unsigned long max_size)
{
const struct common_firmware_header *hdr;
unsigned int offset;
@@ -336,6 +336,9 @@ int amdgpu_vce_resume(struct amdgpu_device *adev)
hdr = (const struct common_firmware_header *)adev->vce.fw->data;
offset = le32_to_cpu(hdr->ucode_array_offset_bytes);
+ if (adev->vce.fw->size - offset > max_size)
+ return -EINVAL;
+
if (drm_dev_enter(adev_to_drm(adev), &idx)) {
memset_io(adev->vce.cpu_addr, 0, amdgpu_bo_size(adev->vce.vcpu_bo));
memcpy_toio(adev->vce.cpu_addr, adev->vce.fw->data + offset,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h
index 778c714c8385d..a57e2f6f5f930 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.h
@@ -60,7 +60,7 @@ int amdgpu_vce_sw_init(struct amdgpu_device *adev, unsigned long size);
int amdgpu_vce_sw_fini(struct amdgpu_device *adev);
int amdgpu_vce_entity_init(struct amdgpu_device *adev, struct amdgpu_ring *ring);
int amdgpu_vce_suspend(struct amdgpu_device *adev);
-int amdgpu_vce_resume(struct amdgpu_device *adev);
+int amdgpu_vce_resume(struct amdgpu_device *adev, const unsigned long max_size);
void amdgpu_vce_free_handles(struct amdgpu_device *adev, struct drm_file *filp);
int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
struct amdgpu_ib *ib);
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
index db149eda62044..00b4037d4bc89 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
@@ -437,7 +437,7 @@ static int vce_v2_0_sw_init(struct amdgpu_ip_block *ip_block)
if (r)
return r;
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V2_0_FW_SIZE);
if (r)
return r;
@@ -533,7 +533,7 @@ static int vce_v2_0_resume(struct amdgpu_ip_block *ip_block)
{
int r;
- r = amdgpu_vce_resume(ip_block->adev);
+ r = amdgpu_vce_resume(ip_block->adev, VCE_V2_0_FW_SIZE);
if (r)
return r;
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c
index 03d79e464f04f..2e97376ff30e5 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c
@@ -440,7 +440,7 @@ static int vce_v3_0_sw_init(struct amdgpu_ip_block *ip_block)
if (adev->vce.fw_version < FW_52_8_3)
adev->vce.num_rings = 2;
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V3_0_FW_SIZE);
if (r)
return r;
@@ -544,7 +544,7 @@ static int vce_v3_0_resume(struct amdgpu_ip_block *ip_block)
{
int r;
- r = amdgpu_vce_resume(ip_block->adev);
+ r = amdgpu_vce_resume(ip_block->adev, VCE_V3_0_FW_SIZE);
if (r)
return r;
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c
index ee445d8abe474..3309e7b8f2a2e 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c
@@ -462,7 +462,7 @@ static int vce_v4_0_sw_init(struct amdgpu_ip_block *ip_block)
ALIGN(le32_to_cpu(hdr->ucode_size_bytes), PAGE_SIZE);
drm_info(adev_to_drm(adev), "PSP loading VCE firmware\n");
} else {
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V4_0_FW_SIZE);
if (r)
return r;
}
@@ -624,7 +624,7 @@ static int vce_v4_0_resume(struct amdgpu_ip_block *ip_block)
drm_dev_exit(idx);
}
} else {
- r = amdgpu_vce_resume(adev);
+ r = amdgpu_vce_resume(adev, VCE_V4_0_FW_SIZE);
if (r)
return r;
}
--
2.53.0
next prev parent reply other threads:[~2026-04-23 1:16 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 1:16 [PATCH 00/11] VCE1 fixes (v2) Timur Kristóf
2026-04-23 1:16 ` [PATCH 01/11] drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti Timur Kristóf
2026-04-23 11:04 ` Christian König
2026-04-23 12:18 ` Timur Kristóf
2026-04-23 13:32 ` Christian König
2026-04-23 1:16 ` [PATCH 02/11] drm/amdgpu/vce1: Check that the GPU address is < 128 MiB Timur Kristóf
2026-04-23 11:06 ` Christian König
2026-04-23 1:16 ` [PATCH 03/11] drm/amdgpu/vce1: Remove superfluous address check Timur Kristóf
2026-04-23 1:16 ` [PATCH 04/11] drm/amdgpu/vce1: Check if VRAM address is lower than GART Timur Kristóf
2026-04-23 1:16 ` [PATCH 05/11] drm/amdgpu/vce1: Don't repeat GTT MGR node allocation Timur Kristóf
2026-04-23 1:16 ` [PATCH 06/11] drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets Timur Kristóf
2026-04-23 11:12 ` Christian König
2026-04-23 1:16 ` [PATCH 07/11] drm/amdgpu/vce1: Stop using amdgpu_vce_resume Timur Kristóf
2026-04-23 11:13 ` Christian König
2026-04-23 1:16 ` Timur Kristóf [this message]
2026-04-23 1:16 ` [PATCH 09/11] drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets Timur Kristóf
2026-04-23 11:28 ` Christian König
2026-04-23 18:10 ` John Olender
2026-04-23 1:16 ` [PATCH 10/11] drm/amdgpu/vce3: Fix VCE 3 " Timur Kristóf
2026-04-23 11:29 ` Christian König
2026-04-23 1:16 ` [PATCH 11/11] drm/amdgpu/vce4: Fix VCE 4 " Timur Kristóf
2026-04-23 11:31 ` Christian König
2026-04-23 11:50 ` Timur Kristóf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260423011614.309180-9-timur.kristof@gmail.com \
--to=timur.kristof@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=john.olender@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox