Re: [PATCH v6 19/28] media: rockchip: rga: change offset to dma_addresses

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Uninitialized stack memory in the `dma_addrs` array is written to the hardware's DMA-mapped command buffer for formats with fewer than 3 planes.
--

commit 9081b335b1506ccdaa6465a8ae0be247c58c4532
Author: Sven Püschel <s.pueschel@pengutronix.de>

media: rockchip: rga: change offset to dma_addresses

This commit renames the offset fields to dma_addrs and changes their type
to dma_addr_t to better reflect that they represent addresses rather than
IOMMU offsets. It updates the buffer preparation and command generation
routines to use these newly named fields.

> diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c
> index dcaba66f5c1fc..ab9554c1c4cd9 100644
> --- a/drivers/media/platform/rockchip/rga/rga-buf.c
> +++ b/drivers/media/platform/rockchip/rga/rga-buf.c
> @@ -121,7 +121,7 @@ static int rga_buf_prepare(struct vb2_buffer *vb)
>  	size_t curr_desc = 0;
>  	int i;
>  	const struct v4l2_format_info *info;
> -	unsigned int offsets[VIDEO_MAX_PLANES];
> +	dma_addr_t dma_addrs[VIDEO_MAX_PLANES];

[ ... ]

> @@ -145,18 +145,18 @@ static int rga_buf_prepare(struct vb2_buffer *vb)
>  				 "Failed to map video buffer to RGA\n");
>  			return n_desc;
>  		}
> -		offsets[i] = curr_desc << PAGE_SHIFT;
> +		dma_addrs[i] = curr_desc << PAGE_SHIFT;
>  		curr_desc += n_desc;
>  	}
>  
>  	/* Fill the remaining planes */
>  	info = v4l2_format_info(f->fmt->fourcc);
>  	for (i = info->mem_planes; i < info->comp_planes; i++)
> -		offsets[i] = get_plane_offset(f, info, i);
> +		dma_addrs[i] = dma_addrs[0] + get_plane_offset(f, info, i);
>  
> -	rbuf->offset.y_off = offsets[0];
> -	rbuf->offset.u_off = offsets[1];
> -	rbuf->offset.v_off = offsets[2];
> +	rbuf->dma_addrs.y_addr = dma_addrs[0];
> +	rbuf->dma_addrs.u_addr = dma_addrs[1];
> +	rbuf->dma_addrs.v_addr = dma_addrs[2];

Does this code leak uninitialized stack memory into the hardware's DMA-mapped
command buffer?

If info->comp_planes is 1 (such as with RGB formats), the initialization
loops above do not populate dma_addrs[1] and dma_addrs[2]. These array
elements remain uninitialized stack memory.

However, the code unconditionally assigns these elements to
rbuf->dma_addrs.u_addr and v_addr.

Later, rga_cmd_set_src_info() and rga_cmd_set_dst_info() use these values,
apply arithmetic to them, and write the results directly into the device's
DMA command buffer:

	dest[(RGA_SRC_CB_BASE_ADDR - RGA_MODE_BASE_REG) >> 2] =
		src_corner_addrs.left_top.u_addr;
	dest[(RGA_SRC_CR_BASE_ADDR - RGA_MODE_BASE_REG) >> 2] =
		src_corner_addrs.left_top.v_addr;

Could this leak stack memory to the device or trigger KMSAN warnings on
uninitialized value usage?

While this behavior existed previously with the offsets array, should
dma_addrs be zero-initialized to resolve it?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260515-spu-rga3-v6-0-e547152eb9c9@pengutronix.de?part=19