From patchwork Fri Feb 7 21:12:54 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Russell King X-Patchwork-Id: 3613811 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 5432CBF418 for ; Sun, 9 Feb 2014 17:04:00 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6BECC20138 for ; Sun, 9 Feb 2014 17:03:58 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id C49B5200B4 for ; Sun, 9 Feb 2014 17:03:53 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 7BCBCFA45C; Sun, 9 Feb 2014 09:03:31 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from pandora.arm.linux.org.uk (gw-1.arm.linux.org.uk [78.32.30.217]) by gabe.freedesktop.org (Postfix) with ESMTP id 09F83FBD44 for ; Fri, 7 Feb 2014 13:12:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=arm.linux.org.uk; s=pandora; h=Date:Sender:Message-Id:Subject:Cc:To:From; bh=8XiuVg/TzO3bRTCRy3q5EzHyJpdRQE+pzHsReE/JOmI=; b=B/z8uKDUcU8ZBZX7edsUuvPH1JLG3gBntiEBd9p0BkZvEP/BY8olmH+RzCeAZ3HrGiZ8OONMb7LQphhyW9xBsOQsD0D6Gv0iVBwjHnfRlGiIwdxROVd/9+2WDD0Io8vO+lKrIiaowZwmm6VZcWLpfbiWOPVIXai/Wh+/bDNyEyM=; Received: from e0022681537dd.dyn.arm.linux.org.uk ([2001:4d48:ad52:3201:222:68ff:fe15:37dd]:57307 helo=rmk-PC.arm.linux.org.uk) by pandora.arm.linux.org.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1WBsjG-0002P3-Ky; Fri, 07 Feb 2014 21:12:54 +0000 Received: from rmk by rmk-PC.arm.linux.org.uk with local (Exim 4.76) (envelope-from ) id 1WBsjG-0003N6-9x; Fri, 07 Feb 2014 21:12:54 +0000 From: Russell King To: David Airlie Subject: [PATCH] DRM: ensure fbdev helper arrays are appropriately dimensioned Message-Id: Date: Fri, 07 Feb 2014 21:12:54 +0000 X-Mailman-Approved-At: Sun, 09 Feb 2014 09:03:19 -0800 Cc: dri-devel@lists.freedesktop.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If the number of connectors changes, then it is possible for the fbdev helper to overrun/underrun some arrays which it allocates. It allocates these arrays based on mode_config.num_connector but then walks lists using fb_helper->connector_count to limit the array index. This can lead to writes off the end of the arrays. Fix this by allocating the arrays using fb_helper->connector_count. A similar thing exists for some of the CRTC arrays. For these, use fb_helper->crtc_count. Signed-off-by: Russell King --- David, Would you consider the following patch to clean up the DRM fb helper a little - we already record the number of CRTCs and connectors in the fb_helper structure. While we officially don't support hotplugging, this is more a consistency cleanup, so that we're dimensioning the arrays using the same sizing that we will then use to walk over them. Thanks. drivers/gpu/drm/drm_fb_helper.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 0a19401aff80..0da727e55fd2 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -1360,7 +1360,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, if (modes[n] == NULL) return best_score; - crtcs = kzalloc(dev->mode_config.num_connector * + crtcs = kcalloc(fb_helper->crtc_count, sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL); if (!crtcs) return best_score; @@ -1406,7 +1406,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, if (score > best_score) { best_score = score; memcpy(best_crtcs, crtcs, - dev->mode_config.num_connector * + fb_helper->crtc_count * sizeof(struct drm_fb_helper_crtc *)); } } @@ -1430,11 +1430,11 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper) width = dev->mode_config.max_width; height = dev->mode_config.max_height; - crtcs = kcalloc(dev->mode_config.num_connector, + crtcs = kcalloc(fb_helper->connector_count, sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL); - modes = kcalloc(dev->mode_config.num_connector, + modes = kcalloc(fb_helper->connector_count, sizeof(struct drm_display_mode *), GFP_KERNEL); - enabled = kcalloc(dev->mode_config.num_connector, + enabled = kcalloc(fb_helper->connector_count, sizeof(bool), GFP_KERNEL); if (!crtcs || !modes || !enabled) { DRM_ERROR("Memory allocation failed\n"); @@ -1447,8 +1447,8 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper) if (!(fb_helper->funcs->initial_config && fb_helper->funcs->initial_config(fb_helper, crtcs, modes, enabled, width, height))) { - memset(modes, 0, dev->mode_config.num_connector*sizeof(modes[0])); - memset(crtcs, 0, dev->mode_config.num_connector*sizeof(crtcs[0])); + memset(modes, 0, fb_helper->connector_count * sizeof(modes[0])); + memset(crtcs, 0, fb_helper->connector_count * sizeof(crtcs[0])); if (!drm_target_cloned(fb_helper, modes, enabled, width, height) &&