From 0bf1f85ad6e93fd114f986c3ee0a879f1ca5b857 Mon Sep 17 00:00:00 2001 From: raghavendra ambadas Date: Mon, 1 Jul 2019 16:23:36 +0530 Subject: [PATCH] fbdev: msm: check for target supports dest scaler user space can send commit message with dest scaler structure populated, this would cause null pointer access, if dest scaler is not initialized, this change validate if target supports dest scaler. Change-Id: I37516f4704a013d4628688930783d6e7ab93277f Signed-off-by: Raghavendra Ambadas --- drivers/video/fbdev/msm/mdss_fb.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c index 1b408e2838d6..f56e50d516cd 100644 --- a/drivers/video/fbdev/msm/mdss_fb.c +++ b/drivers/video/fbdev/msm/mdss_fb.c @@ -1,7 +1,7 @@ /* * Core MDSS framebuffer driver. * - * Copyright (c) 2008-2018, The Linux Foundation. All rights reserved. + * Copyright (c) 2008-2019, The Linux Foundation. All rights reserved. * Copyright (C) 2007 Google Incorporated * * This software is licensed under the terms of the GNU General Public @@ -4662,6 +4662,7 @@ static int mdss_fb_atomic_commit_ioctl(struct fb_info *info, struct mdp_destination_scaler_data __user *ds_data_user; struct msm_fb_data_type *mfd; struct mdss_overlay_private *mdp5_data = NULL; + struct mdss_data_type *mdata; ret = copy_from_user(&commit, argp, sizeof(struct mdp_layer_commit)); if (ret) { @@ -4764,6 +4765,13 @@ static int mdss_fb_atomic_commit_ioctl(struct fb_info *info, ds_data_user = commit.commit_v1.dest_scaler; if ((ds_data_user) && (commit.commit_v1.dest_scaler_cnt)) { + mdata = mfd_to_mdata(mfd); + if (!mdata || !mdata->scaler_off || + !mdata->scaler_off->has_dest_scaler) { + pr_err("dest scaler not supported\n"); + ret = -EPERM; + goto err; + } ret = __mdss_fb_copy_destscaler_data(info, &commit); if (ret) { pr_err("copy dest scaler failed\n");