msm: mdss: Increase fbmem buf ref count before use in mdp3
The reference count for fbmem buf is not increased before use, which means it can be get freed unintentionally when the reference count is decreased to "0". In this case, there is possibility of use after free. Ensure that fbmem buf refcount is incremented before use mdp3 driver. Change-Id: I38787c27a26ae550c6fb28697a7583490ad19df8 Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
This commit is contained in:
Sachin Bhayare
Gerrit - the friendly Code Review server
parent
43fb4adbdc
commit
e9d6a3f0a7
1 changed files with 5 additions and 2 deletions
|
|
@ -1564,13 +1564,16 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,
|
|||
break;
|
||||
case metadata_op_get_ion_fd:
|
||||
if (mfd->fb_ion_handle && mfd->fb_ion_client) {
|
||||
get_dma_buf(mfd->fbmem_buf);
|
||||
metadata->data.fbmem_ionfd =
|
||||
ion_share_dma_buf_fd(mfd->fb_ion_client,
|
||||
mfd->fb_ion_handle);
|
||||
if (metadata->data.fbmem_ionfd < 0)
|
||||
if (metadata->data.fbmem_ionfd < 0) {
|
||||
dma_buf_put(mfd->fbmem_buf);
|
||||
pr_err("fd allocation failed. fd = %d\n",
|
||||
metadata->data.fbmem_ionfd);
|
||||
}
|
||||
}
|
||||
break;
|
||||
default:
|
||||
pr_warn("Unsupported request to MDP GET META IOCTL.\n");
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue