[PATCH] FB: Davinci: Fix illegal data access in davincifb driver

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] FB: Davinci: Fix illegal data access in davincifb driver

Sameer Naik
If any of OSD0, OSD1, VID1 windows are disabled via the kernel bootargs, an illegal data access access is made in the davinfb_isr() to the disabled windows data
 (dm->{osd0,osd1,vid1}), rendering the kernel unbootable.

This commit adds an a check to make sure the dm->{osd0,osd1,vid1} variables are
non zero before the access is made. The check is not performed for dm->vid0 because, if VID0 window is disabled then all windows are disabled and the davincifb_isr() is not registered itself.
---
 drivers/video/davincifb.c |   46 +++++++++++++++++++++++++-------------------
 1 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/drivers/video/davincifb.c b/drivers/video/davincifb.c
index 1344be7..e890cbf 100644
--- a/drivers/video/davincifb.c
+++ b/drivers/video/davincifb.c
@@ -295,20 +295,24 @@ static irqreturn_t davincifb_isr(int irq, void *arg)
  unsigned long addr=0;
 
  if ((dispc_reg_in(VENC_VSTAT) & 0x00000010) == 0x10) {
- xchg(&addr, dm->osd0->sdram_address);
- if (addr) {
- set_sdram_params(dm->osd0->info.fix.id,
- dm->osd0->sdram_address,
- dm->osd0->info.fix.line_length);
- dm->osd0->sdram_address = 0;
+ if (dm->osd0) {
+ xchg(&addr, dm->osd0->sdram_address);
+ if (addr) {
+ set_sdram_params(dm->osd0->info.fix.id,
+ dm->osd0->sdram_address,
+ dm->osd0->info.fix.line_length);
+ dm->osd0->sdram_address = 0;
+ }
  }
- addr = 0;
- xchg(&addr, dm->osd1->sdram_address);
- if (addr) {
- set_sdram_params(dm->osd1->info.fix.id,
- dm->osd1->sdram_address,
- dm->osd1->info.fix.line_length);
- dm->osd1->sdram_address = 0;
+ if (dm->osd1) {
+ addr = 0;
+ xchg(&addr, dm->osd1->sdram_address);
+ if (addr) {
+ set_sdram_params(dm->osd1->info.fix.id,
+ dm->osd1->sdram_address,
+ dm->osd1->info.fix.line_length);
+ dm->osd1->sdram_address = 0;
+ }
  }
  addr = 0;
  xchg(&addr, dm->vid0->sdram_address);
@@ -318,13 +322,15 @@ static irqreturn_t davincifb_isr(int irq, void *arg)
  dm->vid0->info.fix.line_length);
  dm->vid0->sdram_address = 0;
  }
- addr = 0;
- xchg(&addr, dm->vid1->sdram_address);
- if (addr) {
- set_sdram_params(dm->vid1->info.fix.id,
- dm->vid1->sdram_address,
- dm->vid1->info.fix.line_length);
- dm->vid1->sdram_address = 0;
+ if (dm->vid1) {
+ addr = 0;
+ xchg(&addr, dm->vid1->sdram_address);
+ if (addr) {
+ set_sdram_params(dm->vid1->info.fix.id,
+ dm->vid1->sdram_address,
+ dm->vid1->info.fix.line_length);
+ dm->vid1->sdram_address = 0;
+ }
  }
  return IRQ_HANDLED;
  } else {
--
1.6.2.5


Loading...