gpu: nova-core: gsp: add checking oversized commands

author Eliot Courtney <ecourtney@nvidia.com>

Fri, 6 Mar 2026 07:22:01 +0000 (16:22 +0900)

committer Alexandre Courbot <acourbot@nvidia.com>

Tue, 10 Mar 2026 07:07:33 +0000 (16:07 +0900)
author Eliot Courtney <ecourtney@nvidia.com>
Fri, 6 Mar 2026 07:22:01 +0000 (16:22 +0900)
committer Alexandre Courbot <acourbot@nvidia.com>
Tue, 10 Mar 2026 07:07:33 +0000 (16:07 +0900)
diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs

index 12849bc057f246f3b808afb873b1376e2f1502d5..8b970523d789af4f89a36abb5210ded2f0e08135 100644 (file)
--- a/drivers/gpu/nova-core/gsp/cmdq.rs
+++ b/drivers/gpu/nova-core/gsp/cmdq.rs
@@ -32,7 +32,8 @@ use crate::{
              GspMsgElement,
              MsgFunction,
              MsgqRxHeader,
-            MsgqTxHeader, //
+            MsgqTxHeader,
+            GSP_MSG_QUEUE_ELEMENT_SIZE_MAX, //
          },
          PteArray,
          GSP_PAGE_SHIFT,
@@ -300,9 +301,13 @@ impl DmaGspMem {
      ///
      /// # Errors
      ///
+    /// - `EMSGSIZE` if the command is larger than [`GSP_MSG_QUEUE_ELEMENT_SIZE_MAX`].
      /// - `ETIMEDOUT` if space does not become available within the timeout.
      /// - `EIO` if the command header is not properly aligned.
      fn allocate_command(&mut self, size: usize, timeout: Delta) -> Result<GspCommand<'_>> {
+        if size_of::<GspMsgElement>() + size > GSP_MSG_QUEUE_ELEMENT_SIZE_MAX {
+            return Err(EMSGSIZE);
+        }
          read_poll_timeout(
              || Ok(self.driver_write_area_size()),
              |available_bytes| *available_bytes >= size_of::<GspMsgElement>() + size,
diff --git a/drivers/gpu/nova-core/gsp/fw.rs b/drivers/gpu/nova-core/gsp/fw.rs

index 4b998485360b07a047f11dce029a34f199e22e24..6005362450cb1903ea1fb20a7b568a4e7dc0da8c 100644 (file)
--- a/drivers/gpu/nova-core/gsp/fw.rs
+++ b/drivers/gpu/nova-core/gsp/fw.rs
@@ -39,6 +39,10 @@ use crate::{
      },
  };
  
+/// Maximum size of a single GSP message queue element in bytes.
+pub(crate) const GSP_MSG_QUEUE_ELEMENT_SIZE_MAX: usize =
+    num::u32_as_usize(bindings::GSP_MSG_QUEUE_ELEMENT_SIZE_MAX);
+
  /// Empty type to group methods related to heap parameters for running the GSP firmware.
  enum GspFwHeapParams {}
  
diff --git a/drivers/gpu/nova-core/gsp/fw/r570_144/bindings.rs b/drivers/gpu/nova-core/gsp/fw/r570_144/bindings.rs

index 6d25fe0bffa97f6c01cbb7efe7f83ca12e8dfaea..334e8be5fde8ec410685dfb4f0d34af21620c0a5 100644 (file)
--- a/drivers/gpu/nova-core/gsp/fw/r570_144/bindings.rs
+++ b/drivers/gpu/nova-core/gsp/fw/r570_144/bindings.rs
@@ -43,6 +43,7 @@ pub const GSP_FW_HEAP_SIZE_OVERRIDE_LIBOS3_BAREMETAL_MAX_MB: u32 = 280;
  pub const GSP_FW_WPR_META_REVISION: u32 = 1;
  pub const GSP_FW_WPR_META_MAGIC: i64 = -2577556379034558285;
  pub const REGISTRY_TABLE_ENTRY_TYPE_DWORD: u32 = 1;
+pub const GSP_MSG_QUEUE_ELEMENT_SIZE_MAX: u32 = 65536;
  pub type __u8 = ffi::c_uchar;
  pub type __u16 = ffi::c_ushort;
  pub type __u32 = ffi::c_uint;
author	Eliot Courtney <ecourtney@nvidia.com>
	Fri, 6 Mar 2026 07:22:01 +0000 (16:22 +0900)
committer	Alexandre Courbot <acourbot@nvidia.com>
	Tue, 10 Mar 2026 07:07:33 +0000 (16:07 +0900)
drivers/gpu/nova-core/gsp/cmdq.rs		patch \| blob \| blame \| history
drivers/gpu/nova-core/gsp/fw.rs		patch \| blob \| blame \| history
drivers/gpu/nova-core/gsp/fw/r570_144/bindings.rs		patch \| blob \| blame \| history