* [bug report] drm/vmwgfx: Initial DX support
@ 2017-11-28 14:30 Dan Carpenter
2017-11-28 16:14 ` Thomas Hellstrom
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2017-11-28 14:30 UTC (permalink / raw)
To: thellstrom; +Cc: dri-devel
Hello Thomas Hellstrom,
The patch d80efd5cb3de: "drm/vmwgfx: Initial DX support" from Aug 10,
2015, leads to the following static checker warning:
drivers/gpu/drm/vmwgfx/vmwgfx_so.c:335 vmw_view_add()
error: buffer overflow 'vmw_view_define_sizes' 3 <= 3
drivers/gpu/drm/vmwgfx/vmwgfx_so.c
2709 static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
2710 struct vmw_sw_context *sw_context,
2711 SVGA3dCmdHeader *header)
2712 {
2713 struct vmw_resource_val_node *ctx_node = sw_context->dx_ctx_node;
2714 struct vmw_resource_val_node *srf_node;
2715 struct vmw_resource *res;
2716 enum vmw_view_type view_type;
2717 int ret;
2718 /*
2719 * This is based on the fact that all affected define commands have
2720 * the same initial command body layout.
2721 */
2722 struct {
2723 SVGA3dCmdHeader header;
2724 uint32 defined_id;
2725 uint32 sid;
2726 } *cmd;
2727
2728 if (unlikely(ctx_node == NULL)) {
2729 DRM_ERROR("DX Context not set.\n");
2730 return -EINVAL;
2731 }
2732
2733 view_type = vmw_view_cmd_to_type(header->id);
^^^^^^^^^
view_type is set to vmw_view_max for unknown values.
2734 cmd = container_of(header, typeof(*cmd), header);
2735 ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
2736 user_surface_converter,
2737 &cmd->sid, &srf_node);
2738 if (unlikely(ret != 0))
2739 return ret;
2740
2741 res = vmw_context_cotable(ctx_node->res, vmw_view_cotables[view_type]);
^^^^^^^^^
but we use it without checking vmw_view_id_ok().
2742 ret = vmw_cotable_notify(res, cmd->defined_id);
2743 vmw_resource_unreference(&res);
2744 if (unlikely(ret != 0))
2745 return ret;
2746
regards,
dan carpenter
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] drm/vmwgfx: Initial DX support
2017-11-28 14:30 [bug report] drm/vmwgfx: Initial DX support Dan Carpenter
@ 2017-11-28 16:14 ` Thomas Hellstrom
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Hellstrom @ 2017-11-28 16:14 UTC (permalink / raw)
To: Dan Carpenter; +Cc: dri-devel
Hi, Dan.
Thanks for the report. I'll try to figure out a fix.
/Thomas
On 11/28/2017 03:30 PM, Dan Carpenter wrote:
> Hello Thomas Hellstrom,
>
> The patch d80efd5cb3de: "drm/vmwgfx: Initial DX support" from Aug 10,
> 2015, leads to the following static checker warning:
>
> drivers/gpu/drm/vmwgfx/vmwgfx_so.c:335 vmw_view_add()
> error: buffer overflow 'vmw_view_define_sizes' 3 <= 3
>
> drivers/gpu/drm/vmwgfx/vmwgfx_so.c
> 2709 static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
> 2710 struct vmw_sw_context *sw_context,
> 2711 SVGA3dCmdHeader *header)
> 2712 {
> 2713 struct vmw_resource_val_node *ctx_node = sw_context->dx_ctx_node;
> 2714 struct vmw_resource_val_node *srf_node;
> 2715 struct vmw_resource *res;
> 2716 enum vmw_view_type view_type;
> 2717 int ret;
> 2718 /*
> 2719 * This is based on the fact that all affected define commands have
> 2720 * the same initial command body layout.
> 2721 */
> 2722 struct {
> 2723 SVGA3dCmdHeader header;
> 2724 uint32 defined_id;
> 2725 uint32 sid;
> 2726 } *cmd;
> 2727
> 2728 if (unlikely(ctx_node == NULL)) {
> 2729 DRM_ERROR("DX Context not set.\n");
> 2730 return -EINVAL;
> 2731 }
> 2732
> 2733 view_type = vmw_view_cmd_to_type(header->id);
> ^^^^^^^^^
> view_type is set to vmw_view_max for unknown values.
>
> 2734 cmd = container_of(header, typeof(*cmd), header);
> 2735 ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
> 2736 user_surface_converter,
> 2737 &cmd->sid, &srf_node);
> 2738 if (unlikely(ret != 0))
> 2739 return ret;
> 2740
> 2741 res = vmw_context_cotable(ctx_node->res, vmw_view_cotables[view_type]);
> ^^^^^^^^^
> but we use it without checking vmw_view_id_ok().
>
> 2742 ret = vmw_cotable_notify(res, cmd->defined_id);
> 2743 vmw_resource_unreference(&res);
> 2744 if (unlikely(ret != 0))
> 2745 return ret;
> 2746
>
> regards,
> dan carpenter
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-28 18:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-28 14:30 [bug report] drm/vmwgfx: Initial DX support Dan Carpenter
2017-11-28 16:14 ` Thomas Hellstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.