Den 14.01.2019 23.33, skrev David Lechner:
> On 1/14/19 3:50 PM, David Lechner wrote:
>> On 1/14/19 10:13 AM, Noralf Trønnes wrote:
>>>
>>> I see that you have this call chain:
>>> st7586_pipe_enable() -> mipi_dbi_enable_flush() -> mipi_dbi_fb_dirty().
>>>
>>> That doesn't look safe. The st7586 driver allocates a tx_buf with size:
>>> size_t bufsize = (mode->vdisplay + 2) / 3 * mode->hdisplay;
>>>
>>> whereas mipi_dbi_enable_flush() will trigger a copy to tx_buf with len:
>>> fb->width * fb->height * 2
>>>
>>> It looks like you're writing zeroes way past the end of the buffer.
>>>
>>> Noralf.
>>>
>>
>> Thanks! That does indeed seem to be the problem. I'll put together
>> a patch to fix this. I'm thinking it will be easier to make the
>> fix before applying this series so that it will be easier to
>> backport.
>>
>
> Well, now that I am looking into it more, I see that the problem
> was not preexisting. This patch ("drm/tinydrm: Use damage helper
> for dirtyfb") also changes mipi_dbi_enable_flush() from calling
> tdev->fb_dirty() to mipi_dbi_fb_dirty().
>
> Perhaps we should not be dropping tdev->fb_dirty()?
I want to get rid of tinydrm_device, to avoid tinydrm being like a
mid-layer. My goal is to make tinydrm just a collection of tiny regular
DRM drivers.
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
