From 3dbdb4dd4f8e5847b8f7d6dbd849e0b9a0907a5b Mon Sep 17 00:00:00 2001 From: Peng Fan Date: Fri, 27 Nov 2015 10:00:10 +0800 Subject: [PATCH] video: ipu: fix out of bounds access We need to access reg stp_rep9, but not stp_rep[(9 - 1) / 2]. If using "__raw_writel(0, DI_STP_REP(disp, 9))", this will exceeds the size of stp_rep array. Signed-off-by: Peng Fan Acked-by: Liu Ying Cc: Stefano Babic Cc: Anatolij Gustschin --- drivers/video/ipu_disp.c | 2 +- drivers/video/ipu_regs.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/video/ipu_disp.c b/drivers/video/ipu_disp.c index 4faeafb635..e08ddd4a4e 100644 --- a/drivers/video/ipu_disp.c +++ b/drivers/video/ipu_disp.c @@ -1119,7 +1119,7 @@ int32_t ipu_init_sync_panel(int disp, uint32_t pixel_clk, reg &= 0x0000FFFF; __raw_writel(reg, DI_STP_REP(disp, 6)); __raw_writel(0, DI_STP_REP(disp, 7)); - __raw_writel(0, DI_STP_REP(disp, 9)); + __raw_writel(0, DI_STP_REP9(disp)); /* Init template microcode */ if (disp) { diff --git a/drivers/video/ipu_regs.h b/drivers/video/ipu_regs.h index c2c134a7de..0d3fe069e9 100644 --- a/drivers/video/ipu_regs.h +++ b/drivers/video/ipu_regs.h @@ -338,6 +338,7 @@ struct ipu_dmfc { #define DI_SW_GEN0(di, gen) (&DI_REG(di)->sw_gen0[gen - 1]) #define DI_SW_GEN1(di, gen) (&DI_REG(di)->sw_gen1[gen - 1]) #define DI_STP_REP(di, gen) (&DI_REG(di)->stp_rep[(gen - 1) / 2]) +#define DI_STP_REP9(di) (&DI_REG(di)->stp_rep9) #define DI_SYNC_AS_GEN(di) (&DI_REG(di)->sync_as) #define DI_DW_GEN(di, gen) (&DI_REG(di)->dw_gen[gen]) #define DI_DW_SET(di, gen, set) (&DI_REG(di)->dw_set[gen + 12 * set]) -- 2.30.2