On 1/14/19 10:13 AM, Noralf Trønnes wrote:
I see that you have this call chain:
st7586_pipe_enable() -> mipi_dbi_enable_flush() -> mipi_dbi_fb_dirty().
That doesn't look safe. The st7586 driver allocates a tx_buf with size:
size_t bufsize = (mode->vdisplay + 2) / 3 * mode->hdisplay;
whereas mipi_dbi_enable_flush() will trigger a copy to tx_buf with len:
fb->width * fb->height * 2
It looks like you're writing zeroes way past the end of the buffer.
Noralf.
Thanks! That does indeed seem to be the problem. I'll put together
a patch to fix this. I'm thinking it will be easier to make the
fix before applying this series so that it will be easier to
backport.
FWIW, here is the change I made on top of this series.
diff --git a/drivers/gpu/drm/tinydrm/st7586.c b/drivers/gpu/drm/tinydrm/st7586.c
index 50e370ce5a59..a6cad8f1d2c9 100644
--- a/drivers/gpu/drm/tinydrm/st7586.c
+++ b/drivers/gpu/drm/tinydrm/st7586.c
@@ -176,6 +176,12 @@ static void st7586_pipe_enable(struct drm_simple_display_pipe *pipe,
{
struct tinydrm_device *tdev = pipe_to_tinydrm(pipe);
struct mipi_dbi *mipi = mipi_dbi_from_tinydrm(tdev);
+ struct drm_rect rect = {
+ .x1 = 0,
+ .x2 = plane_state->fb->width,
+ .y1 = 0,
+ .y2 = plane_state->fb->height,
+ };
int ret;
u8 addr_mode;
@@ -234,7 +240,7 @@ static void st7586_pipe_enable(struct drm_simple_display_pipe *pipe,
mipi_dbi_command(mipi, MIPI_DCS_SET_DISPLAY_ON);
- mipi_dbi_enable_flush(mipi, crtc_state, plane_state);
+ st7586_fb_dirty(plane_state->fb, &rect);
}
static void st7586_pipe_disable(struct drm_simple_display_pipe *pipe)
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
