[PATCH 4/4 V2] drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

[Christian König]

Am 24.04.24 um 10:41 schrieb Jesse Zhang:
> Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
> V2: To really improve the handling we would actually
>      need to have a separate value of 0xffffffff.(Christian)
>
> Signed-off-by: Jesse Zhang <Jesse.Zhang at amd.com>
> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> index 59acf424a078..1929de0db3a1 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> @@ -742,7 +742,7 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
>   	uint32_t destroyed = 0;
>   	uint32_t created = 0;
>   	uint32_t allocated = 0;
> -	uint32_t tmp, handle = 0;
> +	uint32_t tmp = 0xffffffff, handle = 0;

That's close, but what I meant was to have something like this instead:

uint32_t dummy = 0xffffffff; *size = &dummy.

Because tmp is overwritten by user values while parsing the command stream.

Regards,
Christian.

>   	uint32_t *size = &tmp;
>   	unsigned int idx;
>   	int i, r = 0;