On 5/18/26 7:55 PM, Eliot Courtney wrote:
> Use checked arithmetic for `ucode_offset` in `setup_falcon_data`. This
> prevents a malformed firmware from causing a panic.
>
> Fixes: dc70c6ae2441 ("gpu: nova-core: vbios: Add support to look up PMU table
> in FWSEC")
> Reviewed-by: Joel Fernandes <[email protected]>
> Signed-off-by: Eliot Courtney <[email protected]>
> ---
> drivers/gpu/nova-core/vbios.rs | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
Reviewed-by: John Hubbard <[email protected]>
thanks,
--
John Hubbard
>
> diff --git a/drivers/gpu/nova-core/vbios.rs b/drivers/gpu/nova-core/vbios.rs
> index 48a46684e279..871f455bb720 100644
> --- a/drivers/gpu/nova-core/vbios.rs
> +++ b/drivers/gpu/nova-core/vbios.rs
> @@ -1036,14 +1036,15 @@ fn setup_falcon_data(
> .find_entry_by_type(FALCON_UCODE_ENTRY_APPID_FWSEC_PROD)
> {
> Ok(entry) => {
> - let mut ucode_offset = usize::from_safe_cast(entry.data);
> - ucode_offset -= pci_at_image.base.data.len();
> - if ucode_offset < first_fwsec.base.data.len() {
> - dev_err!(self.base.dev, "Falcon Ucode offset not in
> second Fwsec.\n");
> - return Err(EINVAL);
> - }
> - ucode_offset -= first_fwsec.base.data.len();
> - self.falcon_ucode_offset = Some(ucode_offset);
> + self.falcon_ucode_offset = Some(
> + usize::from_safe_cast(entry.data)
> + .checked_sub(pci_at_image.base.data.len())
> + .and_then(|o|
> o.checked_sub(first_fwsec.base.data.len()))
> + .ok_or(EINVAL)
> + .inspect_err(|_| {
> + dev_err!(self.base.dev, "Falcon Ucode offset not
> in second Fwsec.\n");
> + })?,
> + );
> }
> Err(e) => {
> dev_err!(
>
