From patchwork Fri Feb 2 15:27:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 10197029 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EB79560388 for ; Fri, 2 Feb 2018 15:28:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB0342833E for ; Fri, 2 Feb 2018 15:28:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CFA6828E43; Fri, 2 Feb 2018 15:28:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id B57AA2833E for ; Fri, 2 Feb 2018 15:28:03 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 62E626F049; Fri, 2 Feb 2018 15:28:00 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) by gabe.freedesktop.org (Postfix) with ESMTPS id EA7E26EFDF; Fri, 2 Feb 2018 15:27:58 +0000 (UTC) Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de (mreue003 [212.227.15.129]) with ESMTPA (Nemesis) id 0M2HgG-1ey4D648iS-00s9tN; Fri, 02 Feb 2018 16:27:53 +0100 From: Arnd Bergmann To: Ben Skeggs , David Airlie Subject: [PATCH] drm: nouveau: use larger buffer in nvif_vmm_map Date: Fri, 2 Feb 2018 16:27:31 +0100 Message-Id: <20180202152745.1036820-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:LHEtsjdmab79gXNtsl2KjbYb9TYo6oIahqP/Ilwf2qV/8ST13Iu fgAftU6FRc4qhHjE3oR6XWWlaq51eNZn/b5TP5fciD8GfJhSAz5vnWAhDer/ppIFz1SyEBC NgG8StR5T3Qd1DnaaPN/T/JeicTweoyLNr5lPsMKMDXCFCGkUT59T0Ce0K4VgakkNrZwYYh i0YWHjx89txVVpky9L4PQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:4TG7ChgZbtE=:KDOVuf/0810z3tFAC/TyhZ SSyTiZLCKSkdj7w5hepPRIaPeI93cQNxNVBOSqug4p5Yv6HVixZ/KBzhqukkfuCNs7/WxLpPo vn85ZyKvIk7dS7NqvX56Hu0Kz5giauY3Znusr8hNbCsZXi0dgl19tqa2roFNXd4Pk3GjzpMRT Tg1y0IokfE+mTZYV9K5JEJuFZrXz0aM+2E9KW0xXaHLgkcSNy46irxh4CWaznSukfl20reNMa TiYXamQuV1fW5OZ56ZCKKGd0vjVhsmJzGLgMHMEyrg41uyQgbbOFUsOb2mrN/WnydJyx1ZAMI XXkhtSfljDGxW66BHiPUSTY+rvP1PTL2NmOm6HPr046i8wRIryNVR2r1n+3uOowQTc+H5scGi cjYg7V7Va2dzefVcZOGjdFSCyDifMvkMtSq0Ct3557C1xvmS1p6kuPFgtgUTe5tlU5GKErOmt Y85NZaWW7sQ3hUlXkIb70MZx71U1HLOafXKc17xy5qT7RNiqsgJufyG5mnYINBp9uKIaTrYVx PnHuy8xTSWP0nZ/hsFM0eYenPkLOaAJtjSsOyEUcd8e8DyapvvcwWw8MJGlcAV6FqLo8gicW9 XVvVhn6G9j7QXZj1IVB0Iv0FNwy1PV1IKnm/nb8/1W40enHZlEf8NYj0jwjfuTaXb9BPdTgds IDdcgLQLjBXmp1Xl1c2FXX3vtHtlwaRfyqvxQzYg5VrDsaooQsLryySUDP/sK9Z4EJNf6LHSf nhrUa88qU0HM5GB65cLp4QxpcnfBHmObd0OA2g== X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Arnd Bergmann , Martin Sebor MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP gcc points out a buffer that is clearly too small to be used in a meaningful way, as the 'sizeof(*args) + argc > sizeof(stack)' will always fail: In function 'memcpy', inlined from 'nvif_vmm_map' at drivers/gpu/drm/nouveau/nvif/vmm.c:55:2: include/linux/string.h:353:9: error: '__builtin_memcpy' offset 40 is out of the bounds [0, 16] of object 'stack' with type 'u8[16]' {aka 'unsigned char[16]'} [-Werror=array-bounds] return __builtin_memcpy(p, q, size); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/nouveau/nvif/vmm.c: In function 'nvif_vmm_map': drivers/gpu/drm/nouveau/nvif/vmm.c:40:5: note: 'stack' declared here This makes the buffer large enough so it should serve the purpose that the author presumably had in mind. Alternatively we could just get rid of it completely and simplify the code at the cost of always doing the kmalloc (as we do in the current version). Fixes: 920d2b5ef215 ("drm/nouveau/mmu: define user interfaces to mmu vmm opertaions") Signed-off-by: Arnd Bergmann --- Cc: Martin Sebor Martin: this one is interesting, I think it qualifies as a false-positive warning that gcc should not print because there is no overflow, but the code is still wrong because we never copy into the fixed-size buffer that was intended as a micro-optimization --- drivers/gpu/drm/nouveau/nvif/vmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nvif/vmm.c b/drivers/gpu/drm/nouveau/nvif/vmm.c index 31cdb2d2e1ff..191832be6c65 100644 --- a/drivers/gpu/drm/nouveau/nvif/vmm.c +++ b/drivers/gpu/drm/nouveau/nvif/vmm.c @@ -37,7 +37,7 @@ nvif_vmm_map(struct nvif_vmm *vmm, u64 addr, u64 size, void *argv, u32 argc, struct nvif_mem *mem, u64 offset) { struct nvif_vmm_map_v0 *args; - u8 stack[16]; + u8 stack[48]; int ret; if (sizeof(*args) + argc > sizeof(stack)) {