From: Eliot Courtney Date: Mon, 25 May 2026 13:57:25 +0000 (+0900) Subject: gpu: nova-core: vbios: use checked accesses in `setup_falcon_data` X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=051ae1b21ff7a3cc27522b0b3b56e277b62c1207;p=thirdparty%2Fkernel%2Flinux.git gpu: nova-core: vbios: use checked accesses in `setup_falcon_data` Use checked arithmetic for `ucode_offset` in `setup_falcon_data`. This prevents a malformed firmware from causing a panic. Fixes: dc70c6ae2441 ("gpu: nova-core: vbios: Add support to look up PMU table in FWSEC") Reviewed-by: Joel Fernandes Reviewed-by: John Hubbard Signed-off-by: Eliot Courtney Link: https://patch.msgid.link/20260525-fix-vbios-v5-7-e5e455251537@nvidia.com Signed-off-by: Danilo Krummrich --- diff --git a/drivers/gpu/nova-core/vbios.rs b/drivers/gpu/nova-core/vbios.rs index 48a46684e279a..871f455bb7203 100644 --- a/drivers/gpu/nova-core/vbios.rs +++ b/drivers/gpu/nova-core/vbios.rs @@ -1036,14 +1036,15 @@ impl FwSecBiosBuilder { .find_entry_by_type(FALCON_UCODE_ENTRY_APPID_FWSEC_PROD) { Ok(entry) => { - let mut ucode_offset = usize::from_safe_cast(entry.data); - ucode_offset -= pci_at_image.base.data.len(); - if ucode_offset < first_fwsec.base.data.len() { - dev_err!(self.base.dev, "Falcon Ucode offset not in second Fwsec.\n"); - return Err(EINVAL); - } - ucode_offset -= first_fwsec.base.data.len(); - self.falcon_ucode_offset = Some(ucode_offset); + self.falcon_ucode_offset = Some( + usize::from_safe_cast(entry.data) + .checked_sub(pci_at_image.base.data.len()) + .and_then(|o| o.checked_sub(first_fwsec.base.data.len())) + .ok_or(EINVAL) + .inspect_err(|_| { + dev_err!(self.base.dev, "Falcon Ucode offset not in second Fwsec.\n"); + })?, + ); } Err(e) => { dev_err!(