drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()

Nikita Zhandarovich · alexdeucher · commit dd8689b52a24 · 2025-03-18T16:24:44.000-04:00
On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 2fc5703 ("drm/radeon: check VCE relocation buffer range v3") Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 2d52de5) Cc: stable@vger.kernel.org
diff --git a/drivers/gpu/drm/radeon/radeon_vce.c b/drivers/gpu/drm/radeon/radeon_vce.c
@@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
 {
 	int session_idx = -1;
 	bool destroyed = false, created = false, allocated = false;
-	uint32_t tmp, handle = 0;
+	uint32_t tmp = 0, handle = 0;
 	uint32_t *size = &tmp;
 	int i, r = 0;
 

Original file line number	Diff line number	Diff line change
`@@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)`
`557`	`557`	`{`
`558`	`558`	`int session_idx = -1;`
`559`	`559`	`bool destroyed = false, created = false, allocated = false;`
`560`		`- uint32_t tmp, handle = 0;`
	`560`	`+ uint32_t tmp = 0, handle = 0;`
`561`	`561`	`uint32_t *size = &tmp;`
`562`	`562`	`int i, r = 0;`
`563`	`563`