diff options
| author | Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> | 2025-10-23 10:52:21 +0530 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2025-10-28 09:55:16 -0400 |
| commit | 90ef1dcb1d2bb84ad998e845e26a2a297a7ddfd6 (patch) | |
| tree | 7656cf3649f0674a2262b7aa65d3ca5d3d8dba5a /drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | |
| parent | 84564d2920b8c858d96cb7471b45203d35f63b61 (diff) | |
drm/amdgpu: Fix pointer casts when reading dynamic region sizes
The function amdgpu_virt_get_dynamic_data_info() writes a 64-bit size
value. In two places (amdgpu_bios.c and amdgpu_discovery.c), the code
passed the address of a smaller variable by casting it to u64 *, which
is unsafe.
This could make the function write more bytes than the smaller variable
can hold, possibly overwriting nearby memory. Reported by static
analysis tools.
v2: Dynamic region size comes from the host (SR-IOV setup) and is always
fixed to 5 MB. (Lijo/Ellen)
5 MB easily fits inside a 32-bit value, so using a 64-bit type is not
needed. It also avoids extra type casts
Fixes: b4a8fcc7826a ("drm/amdgpu: Add logic for VF ipd and VF bios to init from dynamic crit_region offsets")
Reported by: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Ellen Pan <yunru.pan@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c')
| -rw-r--r-- | drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c index db705bf723f1..35d04e69aec0 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c @@ -103,7 +103,7 @@ static bool amdgpu_read_bios_from_vram(struct amdgpu_device *adev) { uint8_t __iomem *bios = NULL; resource_size_t vram_base; - resource_size_t size = 256 * 1024; /* ??? */ + u32 size = 256U * 1024U; /* ??? */ if (!(adev->flags & AMD_IS_APU)) if (amdgpu_device_need_post(adev)) @@ -126,7 +126,7 @@ static bool amdgpu_read_bios_from_vram(struct amdgpu_device *adev) */ if (amdgpu_sriov_vf(adev) && adev->virt.is_dynamic_crit_regn_enabled) { if (amdgpu_virt_get_dynamic_data_info(adev, - AMD_SRIOV_MSG_VBIOS_IMG_TABLE_ID, adev->bios, (uint64_t *)&size)) { + AMD_SRIOV_MSG_VBIOS_IMG_TABLE_ID, adev->bios, &size)) { amdgpu_bios_release(adev); return false; } |