From a3562a0e471df02234f74ab4e0625042f44a76e9 Mon Sep 17 00:00:00 2001
From: Peter Rosin <peda@axentia.se>
Date: Tue, 4 Jul 2017 12:36:58 +0200
Subject: [PATCH] drm/fb-helper: keep the .gamma_store updated in drm_fb_helper_setcmap
Git-commit: a3562a0e471df02234f74ab4e0625042f44a76e9
Patch-mainline: v4.14-rc1
References: FATE#322643 bsc#1055900

I think the gamma_store can end up invalid on error. But the way I read
it, that can happen in drm_mode_gamma_set_ioctl as well, so why should
this pesky legacy fbdev stuff be any better?

Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1499164632-5582-3-git-send-email-peda@axentia.se
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/gpu/drm/drm_fb_helper.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1277,6 +1277,7 @@ int drm_fb_helper_setcmap(struct fb_cmap
 	const struct drm_crtc_helper_funcs *crtc_funcs;
 	u16 *red, *green, *blue, *transp;
 	struct drm_crtc *crtc;
+	u16 *r, *g, *b;
 	int i, j, rc = 0;
 	int start;
 
@@ -1305,6 +1306,24 @@ int drm_fb_helper_setcmap(struct fb_cmap
 		transp = cmap->transp;
 		start = cmap->start;
 
+		if (!crtc->gamma_size) {
+			rc = -EINVAL;
+			goto out;
+		}
+
+		if (cmap->start + cmap->len > crtc->gamma_size) {
+			rc = -EINVAL;
+			goto out;
+		}
+
+		r = crtc->gamma_store;
+		g = r + crtc->gamma_size;
+		b = g + crtc->gamma_size;
+
+		memcpy(r + cmap->start, cmap->red, cmap->len * sizeof(*r));
+		memcpy(g + cmap->start, cmap->green, cmap->len * sizeof(*g));
+		memcpy(b + cmap->start, cmap->blue, cmap->len * sizeof(*b));
+
 		for (j = 0; j < cmap->len; j++) {
 			u16 hred, hgreen, hblue, htransp = 0xffff;