From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <error27@gmail.com>
Subject: question regarding nvc0_instmem_suspend()
Date: Fri, 13 Aug 2010 23:39:53 +0200
Message-ID: <20100813213953.GU645@bicker>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from mail-fx0-f49.google.com (mail-fx0-f49.google.com
	[209.85.161.49])
	by gabe.freedesktop.org (Postfix) with ESMTP id 8069F9E821
	for <dri-devel@lists.freedesktop.org>;
	Fri, 13 Aug 2010 14:40:10 -0700 (PDT)
Received: by fxm12 with SMTP id 12so2441064fxm.36
	for <dri-devel@lists.freedesktop.org>;
	Fri, 13 Aug 2010 14:40:09 -0700 (PDT)
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: bskeggs@redhat.com
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

Smatch thinks there is a buffer overflow in nvc0_instmem_suspend() and
I've looked at it, but I don't understand the code.

drivers/gpu/drm/nouveau/nvc0_instmem.c +152 nvc0_instmem_suspend(10)
	error: buffer overflow 'dev_priv->susres.ramin_copy' 16384 <= 1835008

   141  int
   142  nvc0_instmem_suspend(struct drm_device *dev)
   143  {
   144          struct drm_nouveau_private *dev_priv = dev->dev_private;
   145          int i;
   146
   147          dev_priv->susres.ramin_copy = vmalloc(65536);

	dev_priv->susres.ramin_copy is an array of 16384 u32 elements
	(65536 bytes).

   148          if (!dev_priv->susres.ramin_copy)
   149                  return -ENOMEM;
   150
   151          for (i = 0x700000; i < 0x710000; i += 4)
   152                  dev_priv->susres.ramin_copy[i/4] = nv_rd32(dev, i);

	0x700000 / 4 is 1835008 so we're way past the end of the array
	and then we get larger.

   153          return 0;
   154  }

Normally when I'm this confused it's because I'm missing something 
obvious.  :P  Can you help me out?

regards,
dan carpenter