Applied. Thanks!
Alex
On Tue, Mar 11, 2025 at 7:23 AM Nikita Zhandarovich
<n.zhandarovich@xxxxxxxxxx> wrote:
>
> On the off chance that command stream passed from userspace via
> ioctl() call to radeon_vce_cs_parse() is weirdly crafted and
> first command to execute is to encode (case 0x03000001), the function
> in question will attempt to call radeon_vce_cs_reloc() with size
> argument that has not been properly initialized. Specifically, 'size'
> will point to 'tmp' variable before the latter had a chance to be
> assigned any value.
>
> Play it safe and init 'tmp' with 0, thus ensuring that
> radeon_vce_cs_reloc() will catch an early error in cases like these.
>
> Found by Linux Verification Center (linuxtesting.org) with static
> analysis tool SVACE.
>
> Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
> ---
> drivers/gpu/drm/radeon/radeon_vce.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_vce.c b/drivers/gpu/drm/radeon/radeon_vce.c
> index d1871af967d4..2355a78e1b69 100644
> --- a/drivers/gpu/drm/radeon/radeon_vce.c
> +++ b/drivers/gpu/drm/radeon/radeon_vce.c
> @@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
> {
> int session_idx = -1;
> bool destroyed = false, created = false, allocated = false;
> - uint32_t tmp, handle = 0;
> + uint32_t tmp = 0, handle = 0;
> uint32_t *size = &tmp;
> int i, r = 0;
>
