The code accesses the IB without using amdgpu_ib_get_value() so we need some additional bounds checks.
Signed-off-by: Benjamin Cheng <[email protected]> --- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c index f0f492777b09..1485d92800be 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c @@ -1928,7 +1928,7 @@ static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int sta { int i; - for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) { + for (i = start; i + 1 < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) { if (ib->ptr[i + 1] == id) return i; } @@ -1952,6 +1952,9 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p, while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) { val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */ if (val == RADEON_VCN_ENGINE_TYPE_DECODE) { + if (idx + 6 + sizeof(struct amdgpu_vcn_decode_buffer) / 4 > ib->length_dw) + return -EINVAL; + decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6]; if (!(decode_buffer->valid_buf_flag & 0x1)) @@ -1962,6 +1965,9 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p, return vcn_v4_0_dec_msg(p, job, addr); } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) { sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx); + if (sidx >= 0 && sidx + 2 >= ib->length_dw) + return -EINVAL; + if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1) return vcn_v4_0_limit_sched(p, job); } -- 2.53.0
