[bug report] drm/vmwgfx: Initial DX support
Dan Carpenter
dan.carpenter at oracle.com
Tue Nov 28 14:30:58 UTC 2017
Hello Thomas Hellstrom,
The patch d80efd5cb3de: "drm/vmwgfx: Initial DX support" from Aug 10,
2015, leads to the following static checker warning:
drivers/gpu/drm/vmwgfx/vmwgfx_so.c:335 vmw_view_add()
error: buffer overflow 'vmw_view_define_sizes' 3 <= 3
drivers/gpu/drm/vmwgfx/vmwgfx_so.c
2709 static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
2710 struct vmw_sw_context *sw_context,
2711 SVGA3dCmdHeader *header)
2712 {
2713 struct vmw_resource_val_node *ctx_node = sw_context->dx_ctx_node;
2714 struct vmw_resource_val_node *srf_node;
2715 struct vmw_resource *res;
2716 enum vmw_view_type view_type;
2717 int ret;
2718 /*
2719 * This is based on the fact that all affected define commands have
2720 * the same initial command body layout.
2721 */
2722 struct {
2723 SVGA3dCmdHeader header;
2724 uint32 defined_id;
2725 uint32 sid;
2726 } *cmd;
2727
2728 if (unlikely(ctx_node == NULL)) {
2729 DRM_ERROR("DX Context not set.\n");
2730 return -EINVAL;
2731 }
2732
2733 view_type = vmw_view_cmd_to_type(header->id);
^^^^^^^^^
view_type is set to vmw_view_max for unknown values.
2734 cmd = container_of(header, typeof(*cmd), header);
2735 ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
2736 user_surface_converter,
2737 &cmd->sid, &srf_node);
2738 if (unlikely(ret != 0))
2739 return ret;
2740
2741 res = vmw_context_cotable(ctx_node->res, vmw_view_cotables[view_type]);
^^^^^^^^^
but we use it without checking vmw_view_id_ok().
2742 ret = vmw_cotable_notify(res, cmd->defined_id);
2743 vmw_resource_unreference(&res);
2744 if (unlikely(ret != 0))
2745 return ret;
2746
regards,
dan carpenter
More information about the dri-devel
mailing list