From: Maciej Purski Date: Mon, 21 Aug 2017 10:32:51 +0000 (+0200) Subject: drm/bridge/sii8620: Fix memory corruption X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=79964dbaf662229253b281c42e82e2675a9d3b80;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drm/bridge/sii8620: Fix memory corruption Function sii8620_mt_read_devcap_reg_recv() used to read array index from a wrong msg register, which caused writing out of array bounds. It led to writing on other fields of struct sii8620. Signed-off-by: Maciej Purski Fixes: e9c6da270 ("drm/bridge/sii8620: add reading device capability registers") Signed-off-by: Andrzej Hajda Link: https://patchwork.freedesktop.org/patch/msgid/1503311571-25819-1-git-send-email-m.purski@samsung.com --- diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c index 2d51a2269fc6..5131bfb94f06 100644 --- a/drivers/gpu/drm/bridge/sil-sii8620.c +++ b/drivers/gpu/drm/bridge/sil-sii8620.c @@ -597,9 +597,9 @@ static void sii8620_mt_read_devcap(struct sii8620 *ctx, bool xdevcap) static void sii8620_mt_read_devcap_reg_recv(struct sii8620 *ctx, struct sii8620_mt_msg *msg) { - u8 reg = msg->reg[0] & 0x7f; + u8 reg = msg->reg[1] & 0x7f; - if (msg->reg[0] & 0x80) + if (msg->reg[1] & 0x80) ctx->xdevcap[reg] = msg->ret; else ctx->devcap[reg] = msg->ret;