If the number of connectors changes, then it is possible for the fbdev helper to overrun/underrun some arrays which it allocates. It allocates these arrays based on mode_config.num_connector but then walks lists using fb_helper->connector_count to limit the array index. This can lead to writes off the end of the arrays. Fix this by allocating the arrays using fb_helper->connector_count. A similar thing exists for some of the CRTC arrays. For these, use fb_helper->crtc_count. Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx> --- David, Would you consider the following patch to clean up the DRM fb helper a little - we already record the number of CRTCs and connectors in the fb_helper structure. While we officially don't support hotplugging, this is more a consistency cleanup, so that we're dimensioning the arrays using the same sizing that we will then use to walk over them. Thanks. drivers/gpu/drm/drm_fb_helper.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 0a19401aff80..0da727e55fd2 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -1360,7 +1360,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, if (modes[n] == NULL) return best_score; - crtcs = kzalloc(dev->mode_config.num_connector * + crtcs = kcalloc(fb_helper->crtc_count, sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL); if (!crtcs) return best_score; @@ -1406,7 +1406,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, if (score > best_score) { best_score = score; memcpy(best_crtcs, crtcs, - dev->mode_config.num_connector * + fb_helper->crtc_count * sizeof(struct drm_fb_helper_crtc *)); } } @@ -1430,11 +1430,11 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper) width = dev->mode_config.max_width; height = dev->mode_config.max_height; - crtcs = kcalloc(dev->mode_config.num_connector, + crtcs = kcalloc(fb_helper->connector_count, sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL); - modes = kcalloc(dev->mode_config.num_connector, + modes = kcalloc(fb_helper->connector_count, sizeof(struct drm_display_mode *), GFP_KERNEL); - enabled = kcalloc(dev->mode_config.num_connector, + enabled = kcalloc(fb_helper->connector_count, sizeof(bool), GFP_KERNEL); if (!crtcs || !modes || !enabled) { DRM_ERROR("Memory allocation failed\n"); @@ -1447,8 +1447,8 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper) if (!(fb_helper->funcs->initial_config && fb_helper->funcs->initial_config(fb_helper, crtcs, modes, enabled, width, height))) { - memset(modes, 0, dev->mode_config.num_connector*sizeof(modes[0])); - memset(crtcs, 0, dev->mode_config.num_connector*sizeof(crtcs[0])); + memset(modes, 0, fb_helper->connector_count * sizeof(modes[0])); + memset(crtcs, 0, fb_helper->connector_count * sizeof(crtcs[0])); if (!drm_target_cloned(fb_helper, modes, enabled, width, height) && -- 1.8.3.1 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel