[Public] You may change the function signature to u32 *. I don't think any table of larger size is expected. Ellen, please confirm.
Thanks, Lijo ________________________________ From: amd-gfx <[email protected]> on behalf of Srinivasan Shanmugam <[email protected]> Sent: Wednesday, October 22, 2025 7:04:25 PM To: Koenig, Christian <[email protected]>; Deucher, Alexander <[email protected]> Cc: [email protected] <[email protected]>; SHANMUGAM, SRINIVASAN <[email protected]>; Pan, Ellen <[email protected]> Subject: [PATCH] drm/amdgpu: Fix pointer casts when reading dynamic region sizes The function amdgpu_virt_get_dynamic_data_info() writes a 64-bit size value. In two places (amdgpu_bios.c and amdgpu_discovery.c), the code passed the address of a smaller variable by casting it to u64 *, which is unsafe. This could make the function write more bytes than the smaller variable can hold, possibly overwriting nearby memory. Reported by static analysis tools. Fix it by using a local u64 variable (tmp_size) to store the size, then assign it to the smaller destination field. Fixes: ae92010fb321 ("drm/amdgpu: Add logic for VF ipd and VF bios to init from dynamic crit_region offsets") Reported by: Dan Carpenter <[email protected]> Cc: Ellen Pan <[email protected]> Cc: Christian König <[email protected]> Cc: Alex Deucher <[email protected]> Signed-off-by: Srinivasan Shanmugam <[email protected]> --- drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 4 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c index db705bf723f1..eb7ba7c593bf 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c @@ -104,6 +104,7 @@ static bool amdgpu_read_bios_from_vram(struct amdgpu_device *adev) uint8_t __iomem *bios = NULL; resource_size_t vram_base; resource_size_t size = 256 * 1024; /* ??? */ + u64 tmp_size = 0; if (!(adev->flags & AMD_IS_APU)) if (amdgpu_device_need_post(adev)) @@ -126,10 +127,11 @@ static bool amdgpu_read_bios_from_vram(struct amdgpu_device *adev) */ if (amdgpu_sriov_vf(adev) && adev->virt.is_dynamic_crit_regn_enabled) { if (amdgpu_virt_get_dynamic_data_info(adev, - AMD_SRIOV_MSG_VBIOS_IMG_TABLE_ID, adev->bios, (uint64_t *)&size)) { + AMD_SRIOV_MSG_VBIOS_IMG_TABLE_ID, adev->bios, &tmp_size)) { amdgpu_bios_release(adev); return false; } + adev->bios_size = (resource_size_t)tmp_size; } else { bios = ioremap_wc(vram_base, size); if (!bios) { diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c index a7cb4665f485..87f024f72a59 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c @@ -275,6 +275,7 @@ static int amdgpu_discovery_read_binary_from_mem(struct amdgpu_device *adev, uint64_t vram_size; int i, ret = 0; u32 msg; + u64 tmp_size = 0; if (!amdgpu_sriov_vf(adev)) { /* It can take up to two second for IFWI init to complete on some dGPUs, @@ -311,12 +312,13 @@ static int amdgpu_discovery_read_binary_from_mem(struct amdgpu_device *adev, */ if (amdgpu_virt_get_dynamic_data_info(adev, AMD_SRIOV_MSG_IPD_TABLE_ID, binary, - (uint64_t *)&adev->discovery.size)) { + &tmp_size)) { dev_err(adev->dev, "failed to read discovery info from dynamic critical region."); ret = -EINVAL; goto exit; } + adev->discovery.size = (u32)tmp_size; } else { uint64_t pos = vram_size - DISCOVERY_TMR_OFFSET; -- 2.34.1
