[PATCH 4.18 005/171] drm/amd/display: fix bug of accessing invalid memory
From: Greg Kroah-Hartman
Date: Mon Nov 19 2018 - 11:40:55 EST
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Sung Chung <Su.Chung@xxxxxxx>
[ Upstream commit 43c3ff27a47d83d153c4adc088243ba594582bf5 ]
[Why]
A loop inside of build_evenly_distributed_points function that traverse through
the array of points become an infinite loop when m_GammaUpdates does not
get assigned to any value.
[How]
In DMColor, clear m_gammaIsValid bit just before writting all Zeromem for
m_GammaUpdates, to prevent calling build_evenly_distributed_points
before m_GammaUpdates gets assigned to some value.
Signed-off-by: Su Sung Chung <Su.Chung@xxxxxxx>
Reviewed-by: Aric Cyr <Aric.Cyr@xxxxxxx>
Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@xxxxxxx>
Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
+++ b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
@@ -968,10 +968,14 @@ static void build_evenly_distributed_poi
struct dividers dividers)
{
struct gamma_pixel *p = points;
- struct gamma_pixel *p_last = p + numberof_points - 1;
+ struct gamma_pixel *p_last;
uint32_t i = 0;
+ // This function should not gets called with 0 as a parameter
+ ASSERT(numberof_points > 0);
+ p_last = p + numberof_points - 1;
+
do {
struct fixed31_32 value = dc_fixpt_from_fraction(i,
numberof_points - 1);
@@ -982,7 +986,7 @@ static void build_evenly_distributed_poi
++p;
++i;
- } while (i != numberof_points);
+ } while (i < numberof_points);
p->r = dc_fixpt_div(p_last->r, dividers.divider1);
p->g = dc_fixpt_div(p_last->g, dividers.divider1);