On 3/25/26 18:51, Benjamin Cheng wrote:
> The code accesses the IB without using amdgpu_ib_get_value() so we need
> some additional bounds checks.
>
> Signed-off-by: Benjamin Cheng <[email protected]>
> ---
> drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
> b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
> index f0f492777b09..1485d92800be 100644
> --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
> +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
> @@ -1928,7 +1928,7 @@ static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib
> *ib, uint32_t id, int sta
> {
> int i;
>
> - for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] /
> 4) {
> + for (i = start; i + 1 < ib->length_dw && ib->ptr[i] >= 8; i +=
> ib->ptr[i] / 4) {
> if (ib->ptr[i + 1] == id)
> return i;
> }
> @@ -1952,6 +1952,9 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct
> amdgpu_cs_parser *p,
> while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO,
> idx)) >= 0) {
> val = amdgpu_ib_get_value(ib, idx + 2); /*
> RADEON_VCN_ENGINE_TYPE */
> if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
> + if (idx + 6 + sizeof(struct amdgpu_vcn_decode_buffer) /
> 4 > ib->length_dw)
> + return -EINVAL;
> +
> decode_buffer = (struct amdgpu_vcn_decode_buffer
> *)&ib->ptr[idx + 6];
We should probably rather stop using the struct here and directly use
amdgpu_ib_get_value() here.
Regards,
Christian.
>
> if (!(decode_buffer->valid_buf_flag & 0x1))
> @@ -1962,6 +1965,9 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct
> amdgpu_cs_parser *p,
> return vcn_v4_0_dec_msg(p, job, addr);
> } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
> sidx = vcn_v4_0_enc_find_ib_param(ib,
> RENCODE_IB_PARAM_SESSION_INIT, idx);
> + if (sidx >= 0 && sidx + 2 >= ib->length_dw)
> + return -EINVAL;
> +
> if (sidx >= 0 && ib->ptr[sidx + 2] ==
> RENCODE_ENCODE_STANDARD_AV1)
> return vcn_v4_0_limit_sched(p, job);
> }
