[bug report] drm/vmwgfx: Initial DX support
Thomas Hellstrom
thellstrom at vmware.com
Tue Nov 28 16:14:28 UTC 2017
Hi, Dan.
Thanks for the report. I'll try to figure out a fix.
/Thomas
On 11/28/2017 03:30 PM, Dan Carpenter wrote:
> Hello Thomas Hellstrom,
>
> The patch d80efd5cb3de: "drm/vmwgfx: Initial DX support" from Aug 10,
> 2015, leads to the following static checker warning:
>
> drivers/gpu/drm/vmwgfx/vmwgfx_so.c:335 vmw_view_add()
> error: buffer overflow 'vmw_view_define_sizes' 3 <= 3
>
> drivers/gpu/drm/vmwgfx/vmwgfx_so.c
> 2709 static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
> 2710 struct vmw_sw_context *sw_context,
> 2711 SVGA3dCmdHeader *header)
> 2712 {
> 2713 struct vmw_resource_val_node *ctx_node = sw_context->dx_ctx_node;
> 2714 struct vmw_resource_val_node *srf_node;
> 2715 struct vmw_resource *res;
> 2716 enum vmw_view_type view_type;
> 2717 int ret;
> 2718 /*
> 2719 * This is based on the fact that all affected define commands have
> 2720 * the same initial command body layout.
> 2721 */
> 2722 struct {
> 2723 SVGA3dCmdHeader header;
> 2724 uint32 defined_id;
> 2725 uint32 sid;
> 2726 } *cmd;
> 2727
> 2728 if (unlikely(ctx_node == NULL)) {
> 2729 DRM_ERROR("DX Context not set.\n");
> 2730 return -EINVAL;
> 2731 }
> 2732
> 2733 view_type = vmw_view_cmd_to_type(header->id);
> ^^^^^^^^^
> view_type is set to vmw_view_max for unknown values.
>
> 2734 cmd = container_of(header, typeof(*cmd), header);
> 2735 ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
> 2736 user_surface_converter,
> 2737 &cmd->sid, &srf_node);
> 2738 if (unlikely(ret != 0))
> 2739 return ret;
> 2740
> 2741 res = vmw_context_cotable(ctx_node->res, vmw_view_cotables[view_type]);
> ^^^^^^^^^
> but we use it without checking vmw_view_id_ok().
>
> 2742 ret = vmw_cotable_notify(res, cmd->defined_id);
> 2743 vmw_resource_unreference(&res);
> 2744 if (unlikely(ret != 0))
> 2745 return ret;
> 2746
>
> regards,
> dan carpenter
More information about the dri-devel
mailing list