From cbd677d1ae29b980bba2477a38cbd81ba5ba92f7 Mon Sep 17 00:00:00 2001
From: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>
Date: Mon, 18 Apr 2016 17:53:12 +0530
Subject: [PATCH] msm: mdss: Fix potential NULL pointer dereferences

Fixing potential NULL pointer dereferences in MDSS driver.

Change-Id: Idbb3b2524b3c2165e9922d934047b7ba46141a6c
Signed-off-by: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_debug.c       |  3 +++
 drivers/video/fbdev/msm/mdss_dsi_panel.c   |  2 +-
 drivers/video/fbdev/msm/mdss_mdp_ctl.c     | 12 ++++++------
 drivers/video/fbdev/msm/mdss_mdp_overlay.c |  6 ++++--
 drivers/video/fbdev/msm/msm_dba/adv7533.c  |  6 +++---
 5 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c
index 39848366a55b..3e1e8f98b4b8 100644
--- a/drivers/video/fbdev/msm/mdss_debug.c
+++ b/drivers/video/fbdev/msm/mdss_debug.c
@@ -1390,6 +1390,9 @@ void mdss_misr_disable(struct mdss_data_type *mdata,
 	map = mdss_misr_get_map(req->block_id, ctl, mdata,
 		ctl->is_video_mode);
 
+	if (!map)
+		return;
+
 	/* clear the map data */
 	memset(map->crc_ping, 0, sizeof(map->crc_ping));
 	memset(map->crc_pong, 0, sizeof(map->crc_pong));
diff --git a/drivers/video/fbdev/msm/mdss_dsi_panel.c b/drivers/video/fbdev/msm/mdss_dsi_panel.c
index 9548ea471385..b7b8621a60ea 100644
--- a/drivers/video/fbdev/msm/mdss_dsi_panel.c
+++ b/drivers/video/fbdev/msm/mdss_dsi_panel.c
@@ -354,7 +354,7 @@ int mdss_dsi_panel_reset(struct mdss_panel_data *pdata, int enable)
 		}
 
 		if (gpio_is_valid(ctrl_pdata->lcd_mode_sel_gpio)) {
-			bool out;
+			bool out = false;
 
 			if ((pinfo->mode_sel_state == MODE_SEL_SINGLE_PORT) ||
 				(pinfo->mode_sel_state == MODE_GPIO_HIGH))
diff --git a/drivers/video/fbdev/msm/mdss_mdp_ctl.c b/drivers/video/fbdev/msm/mdss_mdp_ctl.c
index 3fc6d94393d5..fb9b02c75b12 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_ctl.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_ctl.c
@@ -1162,7 +1162,7 @@ int mdss_mdp_perf_calc_pipe(struct mdss_mdp_pipe *pipe,
 	prefill_params.is_hflip = pipe->flags & MDP_FLIP_LR;
 	prefill_params.is_cmd = !mixer->ctl->is_video_mode;
 	prefill_params.pnum = pipe->num;
-	prefill_params.is_bwc = mdss_mdp_is_ubwc_format(pipe->src_fmt);
+	prefill_params.is_ubwc = mdss_mdp_is_ubwc_format(pipe->src_fmt);
 	prefill_params.is_nv12 = mdss_mdp_is_nv12_format(pipe->src_fmt);
 
 	mdss_mdp_get_bw_vote_mode(mixer, mdata->mdp_rev, perf,
@@ -4426,17 +4426,17 @@ void mdss_mdp_set_roi(struct mdss_mdp_ctl *ctl,
 	}
 
 	previous_frame_pu_type = mdss_mdp_get_pu_type(ctl);
-	mdss_mdp_set_mixer_roi(ctl->mixer_left, l_roi);
-	if (ctl->mixer_left)
+	if (ctl->mixer_left) {
+		mdss_mdp_set_mixer_roi(ctl->mixer_left, l_roi);
 		ctl->roi = ctl->mixer_left->roi;
+	}
 
 	if (ctl->mfd->split_mode == MDP_DUAL_LM_DUAL_DISPLAY) {
 		struct mdss_mdp_ctl *sctl = mdss_mdp_get_split_ctl(ctl);
 
-		if (sctl) {
+		if (sctl && sctl->mixer_left) {
 			mdss_mdp_set_mixer_roi(sctl->mixer_left, r_roi);
-			if (sctl->mixer_left)
-				sctl->roi = sctl->mixer_left->roi;
+			sctl->roi = sctl->mixer_left->roi;
 		}
 	} else if (is_dual_lm_single_display(ctl->mfd) && ctl->mixer_right) {
 
diff --git a/drivers/video/fbdev/msm/mdss_mdp_overlay.c b/drivers/video/fbdev/msm/mdss_mdp_overlay.c
index e5cdc750193e..0a9bc4a8d424 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_overlay.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_overlay.c
@@ -3407,18 +3407,20 @@ static ssize_t mdss_mdp_misr_store(struct device *dev,
 		req.frame_count = 1;
 	} else {
 		pr_err("misr not supported fo this fb:%d\n", mfd->index);
+		rc = -ENODEV;
+		return rc;
 	}
 
 	if (enable_misr) {
 		mdss_misr_set(mdata, &req , ctl);
 
-		if (is_panel_split(mfd))
+		if ((ctl->intf_type == MDSS_INTF_DSI) && is_panel_split(mfd))
 			mdss_misr_set(mdata, &sreq , ctl);
 
 	} else {
 		mdss_misr_disable(mdata, &req, ctl);
 
-		if (is_panel_split(mfd))
+		if ((ctl->intf_type == MDSS_INTF_DSI) && is_panel_split(mfd))
 			mdss_misr_disable(mdata, &sreq , ctl);
 	}
 
diff --git a/drivers/video/fbdev/msm/msm_dba/adv7533.c b/drivers/video/fbdev/msm/msm_dba/adv7533.c
index a3b4466d105d..8503d84e0de4 100644
--- a/drivers/video/fbdev/msm/msm_dba/adv7533.c
+++ b/drivers/video/fbdev/msm/msm_dba/adv7533.c
@@ -880,8 +880,8 @@ static void adv7533_handle_cec_intr(struct adv7533 *pdata, u8 cec_status)
 {
 	u8 cec_int_clear = 0x08;
 	bool cec_rx_intr = false;
-	u8 cec_rx_ready;
-	u8 cec_rx_timestamp;
+	u8 cec_rx_ready = 0;
+	u8 cec_rx_timestamp = 0;
 
 	if (!pdata) {
 		pr_err("%s: Invalid input\n", __func__);
@@ -983,7 +983,7 @@ end:
 
 static void *adv7533_handle_hpd_intr(struct adv7533 *pdata)
 {
-	int ret;
+	int ret = 0;
 	u8 hpd_state;
 	u8 connected = 0, disconnected = 0;