Use checked_add() when computing offsets from firmware-provided values
in the RISC-V firmware parsing code. These values come from the BinHdr
structure parsed from the firmware file header.

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/firmware/riscv.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/nova-core/firmware/riscv.rs b/drivers/gpu/nova-core/firmware/riscv.rs
index 28dfef63657a..97030bdd9991 100644
--- a/drivers/gpu/nova-core/firmware/riscv.rs
+++ b/drivers/gpu/nova-core/firmware/riscv.rs
@@ -47,10 +47,11 @@ impl RmRiscvUCodeDesc {
     /// Fails if the header pointed at by `bin_fw` is not within the bounds of the firmware image.
     fn new(bin_fw: &BinFirmware<'_>) -> Result<Self> {
         let offset = usize::from_safe_cast(bin_fw.hdr.header_offset);
+        let end = offset.checked_add(size_of::<Self>()).ok_or(EINVAL)?;
 
         bin_fw
             .fw
-            .get(offset..offset + size_of::<Self>())
+            .get(offset..end)
             .and_then(Self::from_bytes_copy)
             .ok_or(EINVAL)
     }
@@ -80,8 +81,9 @@ pub(crate) fn new(dev: &device::Device<device::Bound>, fw: &Firmware) -> Result<
         let ucode = {
             let start = usize::from_safe_cast(bin_fw.hdr.data_offset);
             let len = usize::from_safe_cast(bin_fw.hdr.data_size);
+            let end = start.checked_add(len).ok_or(EINVAL)?;
 
-            DmaObject::from_data(dev, fw.data().get(start..start + len).ok_or(EINVAL)?)?
+            DmaObject::from_data(dev, fw.data().get(start..end).ok_or(EINVAL)?)?
         };
 
         Ok(Self {
-- 
2.34.1

On Sat, 24 Jan 2026 18:18:30 -0500
Joel Fernandes <joelagnelf@nvidia.com> wrote:

> Use checked_add() when computing offsets from firmware-provided values
> in the RISC-V firmware parsing code. These values come from the BinHdr
> structure parsed from the firmware file header.
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> ---
>  drivers/gpu/nova-core/firmware/riscv.rs | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware/riscv.rs
> b/drivers/gpu/nova-core/firmware/riscv.rs index
> 28dfef63657a..97030bdd9991 100644 ---
> a/drivers/gpu/nova-core/firmware/riscv.rs +++
> b/drivers/gpu/nova-core/firmware/riscv.rs @@ -47,10 +47,11 @@ impl
> RmRiscvUCodeDesc { /// Fails if the header pointed at by `bin_fw` is not
> within the bounds of the firmware image. fn new(bin_fw:
> &BinFirmware<'_>) -> Result<Self> { let offset =
> usize::from_safe_cast(bin_fw.hdr.header_offset);
> +        let end = offset.checked_add(size_of::<Self>()).ok_or(EINVAL)?;
>  
>          bin_fw
>              .fw
> -            .get(offset..offset + size_of::<Self>())
> +            .get(offset..end)
>              .and_then(Self::from_bytes_copy)
>              .ok_or(EINVAL)
>      }
> @@ -80,8 +81,9 @@ pub(crate) fn new(dev: &device::Device<device::Bound>,
> fw: &Firmware) -> Result< let ucode = {
>              let start = usize::from_safe_cast(bin_fw.hdr.data_offset);
>              let len = usize::from_safe_cast(bin_fw.hdr.data_size);
> +            let end = start.checked_add(len).ok_or(EINVAL)?;
>  
> -            DmaObject::from_data(dev, fw.data().get(start..start +
> len).ok_or(EINVAL)?)?
> +            DmaObject::from_data(dev,
> fw.data().get(start..end).ok_or(EINVAL)?)? };
>  
>          Ok(Self {

Reviewed-by: Zhi Wang <zhiw@nvidia.com>