I think the gamma_store can end up invalid on error. But the way I read it, that can happen in drm_mode_gamma_set_ioctl as well, so why should this pesky legacy fbdev stuff be any better? Signed-off-by: Peter Rosin <peda at axentia.se> --- drivers/gpu/drm/drm_fb_helper.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) This is an alternative version rebased on top of Daniels "fbdev helper locking rework and deferred setup" series. Cheers, peda diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index a4cfef9..c7122c9 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -1330,12 +1330,16 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) const struct drm_crtc_helper_funcs *crtc_funcs; u16 *red, *green, *blue, *transp; struct drm_crtc *crtc; + u16 *r, *g, *b; int i, j, rc = 0; int start; if (oops_in_progress) return -EBUSY; + if (cmap->start + cmap->len < cmap->start) + return -EINVAL; + mutex_lock(&fb_helper->lock); if (!drm_fb_helper_is_bound(fb_helper)) { mutex_unlock(&fb_helper->lock); @@ -1353,6 +1357,29 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) transp = cmap->transp; start = cmap->start; + if (info->fix.visual != FB_VISUAL_TRUECOLOR) { + if (!crtc->gamma_size) { + rc = -EINVAL; + goto out; + } + + if (cmap->start + cmap->len > crtc->gamma_size) { + rc = -EINVAL; + goto out; + } + + r = crtc->gamma_store; + g = r + crtc->gamma_size; + b = g + crtc->gamma_size; + + memcpy(r + cmap->start, cmap->red, + cmap->len * sizeof(u16)); + memcpy(g + cmap->start, cmap->green, + cmap->len * sizeof(u16)); + memcpy(b + cmap->start, cmap->blue, + cmap->len * sizeof(u16)); + } + for (j = 0; j < cmap->len; j++) { u16 hred, hgreen, hblue, htransp = 0xffff; -- 2.1.4