On 3/26/26 13:29, Benjamin Cheng wrote: > The uvd/vce/vcn code accesses the IB at predefined offsets without > checking that the IB is large enough. Check the bounds here. The caller > is responsible for making sure it can handle arbitrary return values. > > Also make the idx a uint32_t to prevent overflows causing the condition > to fail. > > Signed-off-by: Benjamin Cheng <[email protected]>
Patches #1-#3 are Reviewed-by: Christian König <[email protected]> Patch #4 is Acked-by: Christian König <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h > b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h > index ce5af137ee40..715c9e43e13a 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h > @@ -559,15 +559,18 @@ void amdgpu_debugfs_ring_init(struct amdgpu_device > *adev, > > int amdgpu_ring_init_mqd(struct amdgpu_ring *ring); > > -static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx) > +static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx) > { > - return ib->ptr[idx]; > + if (idx < ib->length_dw) > + return ib->ptr[idx]; > + return 0; > } > > -static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx, > +static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx, > uint32_t value) > { > - ib->ptr[idx] = value; > + if (idx < ib->length_dw) > + ib->ptr[idx] = value; > } > > int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
