From patchwork Fri Feb 2 15:27:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 126731 Delivered-To: patch@linaro.org Received: by 10.46.124.24 with SMTP id x24csp743190ljc; Fri, 2 Feb 2018 07:28:16 -0800 (PST) X-Google-Smtp-Source: AH8x224ySj9vhOFnTQa48LJ0AbfhUMUkwmlhvBEkzjsuWbzUXZzprH2FNfL6QAd0cCXyT8gSkJlj X-Received: by 2002:a17:902:4523:: with SMTP id m32-v6mr27045313pld.449.1517585296802; Fri, 02 Feb 2018 07:28:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517585296; cv=none; d=google.com; s=arc-20160816; b=RYwLBiq3Jk6tuGB+8q997oCK94a51gJ3broTjivKmO5dakubnXvFfQt0DY7evTqeDQ 4kkJJ0rO/ajKU9CiCmwOXQFlXNUgDeLLdaR6wULvnVkNOefQE5MXrHsxLM0Hwo1RyARj Aaf0gL6rOCFRK8z45oCq+0Tb8GBb01VLeDjNBzfoTmhuJ+iJaXieNqmDvXZcTQdT7qI0 jhHwHm/92+6RLheDZAxfoVKAPqG1g32wpYDo9jMi3h0ag/M8Iu1jZVUKP6TFVVmwRyXT +GqYMrnQpvZOnRZOLXkN+eln3OYeA51zgN4zgRoQyhtisotFZoA95tHP8n2z2EDPIRHu uA9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Az3YA+gS8eebf+EqisYhwysj7Pa10NzIFRGJz3hMP84=; b=V/iFIw4Z6F7kMJXfoBmMPfNh8VZtP3Xbn+w7ocja2aSaSvdDfieBCkctWBQJv9kYMQ Aw39XmyPU2mpx8/GMK1O0xkp3CTfHjZSRafzoq5FVG+OYJkzCI7kLM2RCLy97+HGrGA7 tK+IA9+idD3iFjoT8z2kkSzpHLw7xnH30bqj9nsaj4syGodDzlU5Mw93AFs/QlDsXpXd FJOvgnmkNvMZ3DtJgFwxRBVbShNgM5hVkxZTtxO92B5ajUOuhTf84biHEcyoUJRfnp1B R+Wp7r8qMCaz5Q+GTuq2SIcrzSQCSLRQ4SRrpmfGJfPmOnz/S8VA4fcGMQp72bzgnU2W 2bwA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q13si1618677pgq.181.2018.02.02.07.28.16; Fri, 02 Feb 2018 07:28:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751844AbeBBP2N (ORCPT + 28 others); Fri, 2 Feb 2018 10:28:13 -0500 Received: from mout.kundenserver.de ([212.227.126.187]:51532 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751557AbeBBP2F (ORCPT ); Fri, 2 Feb 2018 10:28:05 -0500 Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de (mreue003 [212.227.15.129]) with ESMTPA (Nemesis) id 0M2HgG-1ey4D648iS-00s9tN; Fri, 02 Feb 2018 16:27:53 +0100 From: Arnd Bergmann To: Ben Skeggs , David Airlie Cc: Arnd Bergmann , Martin Sebor , dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] drm: nouveau: use larger buffer in nvif_vmm_map Date: Fri, 2 Feb 2018 16:27:31 +0100 Message-Id: <20180202152745.1036820-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:LHEtsjdmab79gXNtsl2KjbYb9TYo6oIahqP/Ilwf2qV/8ST13Iu fgAftU6FRc4qhHjE3oR6XWWlaq51eNZn/b5TP5fciD8GfJhSAz5vnWAhDer/ppIFz1SyEBC NgG8StR5T3Qd1DnaaPN/T/JeicTweoyLNr5lPsMKMDXCFCGkUT59T0Ce0K4VgakkNrZwYYh i0YWHjx89txVVpky9L4PQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:4TG7ChgZbtE=:KDOVuf/0810z3tFAC/TyhZ SSyTiZLCKSkdj7w5hepPRIaPeI93cQNxNVBOSqug4p5Yv6HVixZ/KBzhqukkfuCNs7/WxLpPo vn85ZyKvIk7dS7NqvX56Hu0Kz5giauY3Znusr8hNbCsZXi0dgl19tqa2roFNXd4Pk3GjzpMRT Tg1y0IokfE+mTZYV9K5JEJuFZrXz0aM+2E9KW0xXaHLgkcSNy46irxh4CWaznSukfl20reNMa TiYXamQuV1fW5OZ56ZCKKGd0vjVhsmJzGLgMHMEyrg41uyQgbbOFUsOb2mrN/WnydJyx1ZAMI XXkhtSfljDGxW66BHiPUSTY+rvP1PTL2NmOm6HPr046i8wRIryNVR2r1n+3uOowQTc+H5scGi cjYg7V7Va2dzefVcZOGjdFSCyDifMvkMtSq0Ct3557C1xvmS1p6kuPFgtgUTe5tlU5GKErOmt Y85NZaWW7sQ3hUlXkIb70MZx71U1HLOafXKc17xy5qT7RNiqsgJufyG5mnYINBp9uKIaTrYVx PnHuy8xTSWP0nZ/hsFM0eYenPkLOaAJtjSsOyEUcd8e8DyapvvcwWw8MJGlcAV6FqLo8gicW9 XVvVhn6G9j7QXZj1IVB0Iv0FNwy1PV1IKnm/nb8/1W40enHZlEf8NYj0jwjfuTaXb9BPdTgds IDdcgLQLjBXmp1Xl1c2FXX3vtHtlwaRfyqvxQzYg5VrDsaooQsLryySUDP/sK9Z4EJNf6LHSf nhrUa88qU0HM5GB65cLp4QxpcnfBHmObd0OA2g== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org gcc points out a buffer that is clearly too small to be used in a meaningful way, as the 'sizeof(*args) + argc > sizeof(stack)' will always fail: In function 'memcpy', inlined from 'nvif_vmm_map' at drivers/gpu/drm/nouveau/nvif/vmm.c:55:2: include/linux/string.h:353:9: error: '__builtin_memcpy' offset 40 is out of the bounds [0, 16] of object 'stack' with type 'u8[16]' {aka 'unsigned char[16]'} [-Werror=array-bounds] return __builtin_memcpy(p, q, size); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/nouveau/nvif/vmm.c: In function 'nvif_vmm_map': drivers/gpu/drm/nouveau/nvif/vmm.c:40:5: note: 'stack' declared here This makes the buffer large enough so it should serve the purpose that the author presumably had in mind. Alternatively we could just get rid of it completely and simplify the code at the cost of always doing the kmalloc (as we do in the current version). Fixes: 920d2b5ef215 ("drm/nouveau/mmu: define user interfaces to mmu vmm opertaions") Signed-off-by: Arnd Bergmann --- Cc: Martin Sebor Martin: this one is interesting, I think it qualifies as a false-positive warning that gcc should not print because there is no overflow, but the code is still wrong because we never copy into the fixed-size buffer that was intended as a micro-optimization --- drivers/gpu/drm/nouveau/nvif/vmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/gpu/drm/nouveau/nvif/vmm.c b/drivers/gpu/drm/nouveau/nvif/vmm.c index 31cdb2d2e1ff..191832be6c65 100644 --- a/drivers/gpu/drm/nouveau/nvif/vmm.c +++ b/drivers/gpu/drm/nouveau/nvif/vmm.c @@ -37,7 +37,7 @@ nvif_vmm_map(struct nvif_vmm *vmm, u64 addr, u64 size, void *argv, u32 argc, struct nvif_mem *mem, u64 offset) { struct nvif_vmm_map_v0 *args; - u8 stack[16]; + u8 stack[48]; int ret; if (sizeof(*args) + argc > sizeof(stack)) {