drm/tegra: Fix window[0] base address corruption

Window uses shared stride for UV planes and tegra_dc_window struct
defines array of 2 strides per window. That's not taken in account
during setting up of the window addresses and strides, resulting in
out-of-bounds write of the 3-rd (non-existent) V plane stride that
overwrites Y plane base address.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
[treding@nvidia.com: explain why the V-plane stride is ignored]
Signed-off-by: Thierry Reding <treding@nvidia.com>

diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
index 8495bd0..981d24a 100644 (file)
--- a/drivers/gpu/drm/tegra/dc.c
+++ b/drivers/gpu/drm/tegra/dc.c
@@ -591,7 +591,14 @@ static void tegra_plane_atomic_update(struct drm_plane *plane,
                struct tegra_bo *bo = tegra_fb_get_plane(fb, i);
 
                window.base[i] = bo->paddr + fb->offsets[i];
-               window.stride[i] = fb->pitches[i];
+
+               /*
+                * Tegra uses a shared stride for UV planes. Framebuffers are
+                * already checked for this in the tegra_plane_atomic_check()
+                * function, so it's safe to ignore the V-plane pitch here.
+                */
+               if (i < 2)
+                       window.stride[i] = fb->pitches[i];
        }
 
        tegra_dc_setup_window(dc, p->index, &window);