[PATCH v4 5/5] drm/amdgpu/vcn4: Prevent OOB reads when parsing IB

Mon, 30 Mar 2026 14:19:22 -0700 

Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the
bounds checks.

Signed-off-by: Benjamin Cheng <[email protected]>
Acked-by: Christian König <[email protected]>
Reviewed-by: Ruijing Dong <[email protected]>
---
 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c 
b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 1a1cdc14841a..5dec92691f73 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1928,9 +1928,10 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, 
struct amdgpu_job *job,
 static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int 
start)
 {
        int i;
+       uint32_t len;
 
-       for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 
4) {
-               if (ib->ptr[i + 1] == id)
+       for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) {
+               if (amdgpu_ib_get_value(ib, i + 1) == id)
                        return i;
        }
        return -1;
@@ -1941,8 +1942,6 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct 
amdgpu_cs_parser *p,
                                           struct amdgpu_ib *ib)
 {
        struct amdgpu_ring *ring = amdgpu_job_ring(job);
-       struct amdgpu_vcn_decode_buffer *decode_buffer;
-       uint64_t addr;
        uint32_t val;
        int idx = 0, sidx;
 
@@ -1953,20 +1952,22 @@ static int vcn_v4_0_ring_patch_cs_in_place(struct 
amdgpu_cs_parser *p,
        while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, 
idx)) >= 0) {
                val = amdgpu_ib_get_value(ib, idx + 2); /* 
RADEON_VCN_ENGINE_TYPE */
                if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
-                       decode_buffer = (struct amdgpu_vcn_decode_buffer 
*)&ib->ptr[idx + 6];
+                       uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 
6);
+                       uint64_t msg_buffer_addr;
 
-                       if (!(decode_buffer->valid_buf_flag & 0x1))
+                       if (!(valid_buf_flag & 0x1))
                                return 0;
 
-                       addr = ((u64)decode_buffer->msg_buffer_address_hi) << 
32 |
-                               decode_buffer->msg_buffer_address_lo;
-                       return vcn_v4_0_dec_msg(p, job, addr);
+                       msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 
7)) << 32 |
+                               amdgpu_ib_get_value(ib, idx + 8);
+                       return vcn_v4_0_dec_msg(p, job, msg_buffer_addr);
                } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
                        sidx = vcn_v4_0_enc_find_ib_param(ib, 
RENCODE_IB_PARAM_SESSION_INIT, idx);
-                       if (sidx >= 0 && ib->ptr[sidx + 2] == 
RENCODE_ENCODE_STANDARD_AV1)
+                       if (sidx >= 0 &&
+                           amdgpu_ib_get_value(ib, sidx + 2) == 
RENCODE_ENCODE_STANDARD_AV1)
                                return vcn_v4_0_limit_sched(p, job);
                }
-               idx += ib->ptr[idx] / 4;
+               idx += amdgpu_ib_get_value(ib, idx) / 4;
        }
        return 0;
 }
-- 
2.53.0

Reply via email to