From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: re: drm/nouveau: port all engines to new engine module format
Date: Mon, 11 Mar 2013 13:55:32 +0300
Message-ID: <20130311105532.GA31105@longonot.mountain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
	by gabe.freedesktop.org (Postfix) with ESMTP id A66AAE5C99
	for <dri-devel@lists.freedesktop.org>;
	Mon, 11 Mar 2013 03:57:05 -0700 (PDT)
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: bskeggs@redhat.com
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

Hello Ben Skeggs,

The patch ebb945a94bba: "drm/nouveau: port all engines to new engine 
module format" from Jul 20, 2012, leads to the following warning:
"drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c:570 
nvc0_graph_ctor()
	 error: buffer overflow 'priv->tpc_nr' 4 <= 30"

drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c
   566  
   567          priv->rop_nr = (nv_rd32(priv, 0x409604) & 0x001f0000) >> 16;
   568          priv->gpc_nr =  nv_rd32(priv, 0x409604) & 0x0000001f;
                ^^^^^^^^^^^^
setting this to something between 0 and 0x1f.

   569          for (i = 0; i < priv->gpc_nr; i++) {
   570                  priv->tpc_nr[i]  = nv_rd32(priv, GPC_UNIT(i, 0x2608));
                        ^^^^^^^^^^^^^^^
If ->gpc_nr is more than 4 we are writing past the end of the array.

   571                  priv->tpc_total += priv->tpc_nr[i];
   572          }
   573  

regards,
dan carpenter