evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: mdss: Increase fbmem buf ref count before use in mdp3

Browse source 
The reference count for fbmem buf is not increased before use,
which means it can be get freed unintentionally when the reference
count is decreased to "0". In this case, there is possibility of
use after free. Ensure that fbmem buf refcount is incremented
before use mdp3 driver.

Change-Id: I38787c27a26ae550c6fb28697a7583490ad19df8
Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
This commit is contained in:
Sachin Bhayare 2018-04-12 18:57:52 +05:30 committed by Gerrit - the friendly Code Review server
parent 43fb4adbdc
commit e9d6a3f0a7
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/video/fbdev/msm/mdp3_ctrl.c
View file

@ -1564,12 +1564,15 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,
break; break;
case metadata_op_get_ion_fd: case metadata_op_get_ion_fd:
if (mfd->fb_ion_handle && mfd->fb_ion_client) { if (mfd->fb_ion_handle && mfd->fb_ion_client) {
get_dma_buf(mfd->fbmem_buf);
metadata->data.fbmem_ionfd = metadata->data.fbmem_ionfd =
ion_share_dma_buf_fd(mfd->fb_ion_client, ion_share_dma_buf_fd(mfd->fb_ion_client,
mfd->fb_ion_handle); mfd->fb_ion_handle);
if (metadata->data.fbmem_ionfd < 0) if (metadata->data.fbmem_ionfd < 0) {
dma_buf_put(mfd->fbmem_buf);
pr_err("fd allocation failed. fd = %d\n", pr_err("fd allocation failed. fd = %d\n",
metadata->data.fbmem_ionfd); metadata->data.fbmem_ionfd);
}
} }
break; break;
default: default: