[PATCH 3/7] gpu: nova-core: gsp: add checking oversized commands
From: Eliot Courtney
Date: Thu Feb 12 2026 - 01:30:40 EST
The limit is 16 pages for a single command sent to the GSP. Return an
error if `allocate_command` is called with a too large size.
Signed-off-by: Eliot Courtney <ecourtney@xxxxxxxxxx>
---
drivers/gpu/nova-core/gsp/cmdq.rs | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
index baae06de0e09..dbc9e95f1b17 100644
--- a/drivers/gpu/nova-core/gsp/cmdq.rs
+++ b/drivers/gpu/nova-core/gsp/cmdq.rs
@@ -122,6 +122,11 @@ fn read(
/// Number of GSP pages making the [`Msgq`].
pub(crate) const MSGQ_NUM_PAGES: u32 = 0x3f;
+/// Maximum size of a single GSP command in bytes.
+///
+/// A single command can span up to 16 GSP pages.
+pub(crate) const MSGQ_MSG_SIZE_MAX: usize = GSP_PAGE_SIZE * 16;
+
/// Circular buffer of a [`Msgq`].
///
/// This area of memory is to be shared between the driver and the GSP to exchange commands or
@@ -329,8 +334,11 @@ fn allocate_command(&mut self, size: usize) -> Result<GspCommand<'_>> {
/// # Errors
///
/// - `ETIMEDOUT` if space does not become available within the timeout.
- /// - `EIO` if the command header is not properly aligned.
+ /// - `EIO` if the command header is not properly aligned or sizing is impossible.
fn allocate_command_with_timeout(&mut self, size: usize) -> Result<GspCommand<'_>> {
+ if size_of::<GspMsgElement>() + size > MSGQ_MSG_SIZE_MAX {
+ return Err(EIO);
+ }
read_poll_timeout(
|| Ok(self.driver_bytes_available_to_write()),
|available_bytes| *available_bytes >= size_of::<GspMsgElement>() + size,
--
2.53.0