drm/vmwgfx: Initial DX support
Dan Carpenter
dan.carpenter at oracle.com
Thu Apr 28 07:37:09 UTC 2016
Hello Thomas Hellstrom,
The patch d80efd5cb3de: "drm/vmwgfx: Initial DX support" from Aug 10,
2015, leads to the following static checker warning:
drivers/gpu/drm/vmwgfx/vmwgfx_so.c:335 vmw_view_add()
error: buffer overflow 'vmw_view_define_sizes' 3 <= 3
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
2656 static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
2657 struct vmw_sw_context *sw_context,
2658 SVGA3dCmdHeader *header)
2659 {
2660 struct vmw_resource_val_node *ctx_node = sw_context->dx_ctx_node;
2661 struct vmw_resource_val_node *srf_node;
2662 struct vmw_resource *res;
2663 enum vmw_view_type view_type;
2664 int ret;
2665 /*
2666 * This is based on the fact that all affected define commands have
2667 * the same initial command body layout.
2668 */
2669 struct {
2670 SVGA3dCmdHeader header;
2671 uint32 defined_id;
2672 uint32 sid;
2673 } *cmd;
2674
2675 if (unlikely(ctx_node == NULL)) {
2676 DRM_ERROR("DX Context not set.\n");
2677 return -EINVAL;
2678 }
2679
2680 view_type = vmw_view_cmd_to_type(header->id);
vmw_view_cmd_to_type() returns 0-3.
2681 cmd = container_of(header, typeof(*cmd), header);
2682 ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
2683 user_surface_converter,
2684 &cmd->sid, &srf_node);
2685 if (unlikely(ret != 0))
2686 return ret;
2687
2688 res = vmw_context_cotable(ctx_node->res, vmw_view_cotables[view_type]);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
So we're one space beyond the end of the array, here and other places.
2689 ret = vmw_cotable_notify(res, cmd->defined_id);
2690 vmw_resource_unreference(&res);
2691 if (unlikely(ret != 0))
2692 return ret;
regards,
dan carpenter
More information about the dri-devel
mailing list