| Message ID | 1487354070-14487-4-git-send-email-brian.starkey@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 2017-02-17 12:54 PM, Brian Starkey wrote: > The dynamic plane support means that if there's no cursor plane, then > there is no space in the pipe->planes array for it, and thus assigning > a "drm_plane-less" plane is out-of-bounds and leads to heap corruption > and later crashes. > > The "drm_plane-less" cursor plane isn't included in n_planes anyway, > which means there's no way to ever access it/know that it's there - so > just remove it entirely. Nice catch! Reviewed-by: Robert Foss <robert.foss@collabora.com> Rob. > > Fixes: 36656239ef96 lib/igt_kms: Implement dynamic plane count support > Signed-off-by: Brian Starkey <brian.starkey@arm.com> > --- > lib/igt_kms.c | 6 ------ > 1 file changed, 6 deletions(-) > > diff --git a/lib/igt_kms.c b/lib/igt_kms.c > index 45c90c71f301..ef7bfd1a8108 100644 > --- a/lib/igt_kms.c > +++ b/lib/igt_kms.c > @@ -1837,12 +1837,6 @@ void igt_display_init(igt_display_t *display, int drm_fd) > memset(&pipe->planes[last_plane], 0, > sizeof *plane); > } > - } else { > - /* Add drm_plane-less cursor */ > - plane = &pipe->planes[p]; > - plane->pipe = pipe; > - plane->index = p; > - plane->type = DRM_PLANE_TYPE_CURSOR; > } > > pipe->n_planes = n_planes; >
diff --git a/lib/igt_kms.c b/lib/igt_kms.c index 45c90c71f301..ef7bfd1a8108 100644 --- a/lib/igt_kms.c +++ b/lib/igt_kms.c @@ -1837,12 +1837,6 @@ void igt_display_init(igt_display_t *display, int drm_fd) memset(&pipe->planes[last_plane], 0, sizeof *plane); } - } else { - /* Add drm_plane-less cursor */ - plane = &pipe->planes[p]; - plane->pipe = pipe; - plane->index = p; - plane->type = DRM_PLANE_TYPE_CURSOR; } pipe->n_planes = n_planes;
The dynamic plane support means that if there's no cursor plane, then there is no space in the pipe->planes array for it, and thus assigning a "drm_plane-less" plane is out-of-bounds and leads to heap corruption and later crashes. The "drm_plane-less" cursor plane isn't included in n_planes anyway, which means there's no way to ever access it/know that it's there - so just remove it entirely. Fixes: 36656239ef96 lib/igt_kms: Implement dynamic plane count support Signed-off-by: Brian Starkey <brian.starkey@arm.com> --- lib/igt_kms.c | 6 ------ 1 file changed, 6 deletions(-)