From cde1a1f673668eaf7af907d7c9a3a4b5d645854e Mon Sep 17 00:00:00 2001 From: Benet Clark Date: Thu, 4 Jun 2015 18:25:09 -0700 Subject: [PATCH] msm: mdss: Copy only error code back to userspace after atomic commit Previously, the atomic commit ioctl copies the entire kernel layer list to the userspace layer list structure. The only parameter modified during atomic commit should be the error code, and therefore, the only value needed by userspace after the atomic commit ioctl returns. Copying the kernel layer list structure causes the userspace to have stale kernel pointer references to scale and PP info structures. Change-Id: Ia8e96af21f7d9594a47d1503f3afef50a767971f Signed-off-by: Benet Clark --- drivers/video/fbdev/msm/mdss_fb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c index 77019bc394e5..a5180898cb73 100644 --- a/drivers/video/fbdev/msm/mdss_fb.c +++ b/drivers/video/fbdev/msm/mdss_fb.c @@ -3791,7 +3791,7 @@ static int mdss_fb_display_commit(struct fb_info *info, static int mdss_fb_atomic_commit_ioctl(struct fb_info *info, unsigned long *argp) { - int ret, i = 0, rc; + int ret, i = 0, j = 0, rc; struct mdp_layer_commit commit; u32 buffer_size, layer_count; struct mdp_input_layer *layer, *layer_list = NULL; @@ -3879,9 +3879,12 @@ static int mdss_fb_atomic_commit_ioctl(struct fb_info *info, pr_err("atomic commit failed ret:%d\n", ret); if (layer_count) { - rc = copy_to_user(input_layer_list, layer_list, buffer_size); - if (rc) - pr_err("layer error code copy to user failed\n"); + for (j = 0; j < layer_count; j++) { + rc = copy_to_user(&input_layer_list[i].error_code, + &layer_list[i].error_code, sizeof(int)); + if (rc) + pr_err("layer error code copy to user failed\n"); + } commit.commit_v1.input_layers = input_layer_list; commit.commit_v1.output_layer = output_layer_user;