From ec3a993112ebb1c40d4a6b88f46e761dc196f45d Mon Sep 17 00:00:00 2001
From: Jayant Shekhar <jshekhar@codeaurora.org>
Date: Thu, 22 Jun 2017 11:46:47 +0530
Subject: [PATCH] msm: mdss: Increase fbmem buf ref count before use

The reference count for fbmem buf is not increased before use,
which means it can be get freed unintentionally when the reference
count is decreased to "0". In this case, there is possibility of
use after free. Ensure that fbmem buf refcount is incremented
before use.

Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_mdp_overlay.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/msm/mdss_mdp_overlay.c b/drivers/video/fbdev/msm/mdss_mdp_overlay.c
index 91816611d24f..5933e94c1c19 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_overlay.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_overlay.c
@@ -4988,12 +4988,15 @@ static int mdss_fb_get_metadata(struct msm_fb_data_type *mfd,
 		break;
 	case metadata_op_get_ion_fd:
 		if (mfd->fb_ion_handle && mfd->fb_ion_client) {
+			get_dma_buf(mfd->fbmem_buf);
 			metadata->data.fbmem_ionfd =
 				ion_share_dma_buf_fd(mfd->fb_ion_client,
 					mfd->fb_ion_handle);
-			if (metadata->data.fbmem_ionfd < 0)
+			if (metadata->data.fbmem_ionfd < 0) {
+				dma_buf_put(mfd->fbmem_buf);
 				pr_err("fd allocation failed. fd = %d\n",
 						metadata->data.fbmem_ionfd);
+			}
 		}
 		break;
 	case metadata_op_crc: