From: Dmitry Osipenko Date: Sun, 21 Aug 2016 08:57:58 +0000 (+0300) Subject: drm/tegra: Fix window[0] base address corruption X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=08ee01789eebf433c27e8b3eecc3ddbb5f7c4d51;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git drm/tegra: Fix window[0] base address corruption Window uses shared stride for UV planes and tegra_dc_window struct defines array of 2 strides per window. That's not taken in account during setting up of the window addresses and strides, resulting in out-of-bounds write of the 3-rd (non-existent) V plane stride that overwrites Y plane base address. Signed-off-by: Dmitry Osipenko [treding@nvidia.com: explain why the V-plane stride is ignored] Signed-off-by: Thierry Reding --- diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index 8495bd01b544..981d24ae8328 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -591,7 +591,14 @@ static void tegra_plane_atomic_update(struct drm_plane *plane, struct tegra_bo *bo = tegra_fb_get_plane(fb, i); window.base[i] = bo->paddr + fb->offsets[i]; - window.stride[i] = fb->pitches[i]; + + /* + * Tegra uses a shared stride for UV planes. Framebuffers are + * already checked for this in the tegra_plane_atomic_check() + * function, so it's safe to ignore the V-plane pitch here. + */ + if (i < 2) + window.stride[i] = fb->pitches[i]; } tegra_dc_setup_window(dc, p->index, &window);