summaryrefslogtreecommitdiff
path: root/drivers/gpu/drm/nouveau/nv04_fbcon.c
diff options
context:
space:
mode:
authorBen Skeggs <bskeggs@redhat.com>2016-06-02 05:23:31 +0300
committerBen Skeggs <bskeggs@redhat.com>2016-06-02 06:53:44 +0300
commitf045f459d925138fe7d6193a8c86406bda7e49da (patch)
treef00acbaf667b587b9e0cbdcb00d16826cbc12429 /drivers/gpu/drm/nouveau/nv04_fbcon.c
parent383d0a419f8e63e3d65e706c3c515fa9505ce364 (diff)
downloadlinux-f045f459d925138fe7d6193a8c86406bda7e49da.tar.xz
drm/nouveau/fbcon: fix out-of-bounds memory accesses
Reported by KASAN. Signed-off-by: Ben Skeggs <bskeggs@redhat.com> Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/gpu/drm/nouveau/nv04_fbcon.c')
-rw-r--r--drivers/gpu/drm/nouveau/nv04_fbcon.c7
1 files changed, 2 insertions, 5 deletions
diff --git a/drivers/gpu/drm/nouveau/nv04_fbcon.c b/drivers/gpu/drm/nouveau/nv04_fbcon.c
index 0f3e4bb411cc..7d9248b8c664 100644
--- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
@@ -82,7 +82,6 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image)
uint32_t fg;
uint32_t bg;
uint32_t dsize;
- uint32_t width;
uint32_t *data = (uint32_t *)image->data;
int ret;
@@ -93,9 +92,6 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image)
if (ret)
return ret;
- width = ALIGN(image->width, 8);
- dsize = ALIGN(width * image->height, 32) >> 5;
-
if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
fg = ((uint32_t *) info->pseudo_palette)[image->fg_color];
@@ -111,10 +107,11 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image)
((image->dx + image->width) & 0xffff));
OUT_RING(chan, bg);
OUT_RING(chan, fg);
- OUT_RING(chan, (image->height << 16) | width);
+ OUT_RING(chan, (image->height << 16) | image->width);
OUT_RING(chan, (image->height << 16) | image->width);
OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff));
+ dsize = ALIGN(image->width * image->height, 32) >> 5;
while (dsize) {
int iter_len = dsize > 128 ? 128 : dsize;