[PATCH] drm/tegra: Fix window[0] base address corruption
From: Dmitry Osipenko
Date: Sun Aug 21 2016 - 05:03:48 EST
Window uses shared stride for UV planes and tegra_dc_window struct
defines array of 2 strides per window. That's not taken in account
during setting up of the window addresses and strides, resulting in
out-of-bounds write of the 3-rd (non-existent) V plane stride that
overwrites Y plane base address.
Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
---
drivers/gpu/drm/tegra/dc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
index 39940f5..a98dd3e 100644
--- a/drivers/gpu/drm/tegra/dc.c
+++ b/drivers/gpu/drm/tegra/dc.c
@@ -590,7 +590,9 @@ static void tegra_plane_atomic_update(struct drm_plane *plane,
struct tegra_bo *bo = tegra_fb_get_plane(fb, i);
window.base[i] = bo->paddr + fb->offsets[i];
- window.stride[i] = fb->pitches[i];
+
+ if (i < 2)
+ window.stride[i] = fb->pitches[i];
}
tegra_dc_setup_window(dc, p->index, &window);
--
2.9.3