drm/tegra: Fix window[0] base address corruption

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Window uses shared stride for UV planes and tegra_dc_window struct
defines array of 2 strides per window. That's not taken in account
during setting up of the window addresses and strides, resulting in
out-of-bounds write of the 3-rd (non-existent) V plane stride that
overwrites Y plane base address.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
[treding@nvidia.com: explain why the V-plane stride is ignored]
Signed-off-by: Thierry Reding <treding@nvidia.com>

authored by

Dmitry Osipenko and committed by

Thierry Reding 9 years ago 08ee0178 87904c3e

+8 -1

1 changed file

expand all

drivers

gpu

drm

tegra

dc.c

+8 -1

drivers/gpu/drm/tegra/dc.c

··· 591 591 struct tegra_bo *bo = tegra_fb_get_plane(fb, i); 592 592 593 593 window.base[i] = bo->paddr + fb->offsets[i]; 594 - window.stride[i] = fb->pitches[i]; 594 + 595 + /* 596 + * Tegra uses a shared stride for UV planes. Framebuffers are 597 + * already checked for this in the tegra_plane_atomic_check() 598 + * function, so it's safe to ignore the V-plane pitch here. 599 + */ 600 + if (i < 2) 601 + window.stride[i] = fb->pitches[i]; 595 602 } 596 603 597 604 tegra_dc_setup_window(dc, p->index, &window);