I think the gamma_store can end up invalid on error. But the way I read
it, that can happen in drm_mode_gamma_set_ioctl as well, so why should
this pesky legacy fbdev stuff be any better?
Signed-off-by: Peter Rosin <p...@axentia.se>
---
drivers/gpu/drm/drm_fb_helper.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
This is an alternative version rebased on top of Daniels "fbdev helper
locking rework and deferred setup" series.
Cheers,
peda
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index a4cfef9..c7122c9 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1330,12 +1330,16 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct
fb_info *info)
const struct drm_crtc_helper_funcs *crtc_funcs;
u16 *red, *green, *blue, *transp;
struct drm_crtc *crtc;
+ u16 *r, *g, *b;
int i, j, rc = 0;
int start;
if (oops_in_progress)
return -EBUSY;
+ if (cmap->start + cmap->len < cmap->start)
+ return -EINVAL;
+
mutex_lock(&fb_helper->lock);
if (!drm_fb_helper_is_bound(fb_helper)) {
mutex_unlock(&fb_helper->lock);
@@ -1353,6 +1357,29 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct
fb_info *info)
transp = cmap->transp;
start = cmap->start;
+ if (info->fix.visual != FB_VISUAL_TRUECOLOR) {
+ if (!crtc->gamma_size) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ if (cmap->start + cmap->len > crtc->gamma_size) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ r = crtc->gamma_store;
+ g = r + crtc->gamma_size;
+ b = g + crtc->gamma_size;
+
+ memcpy(r + cmap->start, cmap->red,
+ cmap->len * sizeof(u16));
+ memcpy(g + cmap->start, cmap->green,
+ cmap->len * sizeof(u16));
+ memcpy(b + cmap->start, cmap->blue,
+ cmap->len * sizeof(u16));
+ }
+
for (j = 0; j < cmap->len; j++) {
u16 hred, hgreen, hblue, htransp = 0xffff;
--
2.1.4
