mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From a42f6e19316e9e5aaaf8bd2c3bec25fde136dcaa Mon Sep 17 00:00:00 2001
|
|
From: Jayant Shekhar <jshekhar@codeaurora.org>
|
|
Date: Thu, 22 Jun 2017 11:46:47 +0530
|
|
Subject: [PATCH] msm: mdss: Increase fbmem buf ref count before use
|
|
|
|
The reference count for fbmem buf is not increased before use,
|
|
which means it can be get freed unintentionally when the reference
|
|
count is decreased to "0". In this case, there is possibility of
|
|
use after free. Ensure that fbmem buf refcount is incremented
|
|
before use.
|
|
|
|
Bug: 37093119
|
|
Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd
|
|
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
|
|
---
|
|
drivers/video/msm/mdss/mdss_mdp_overlay.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
|
|
index 86c6196432e10..4ab89d11d1daa 100644
|
|
--- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
|
|
+++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
|
|
@@ -3917,11 +3917,14 @@ static int mdss_fb_get_metadata(struct msm_fb_data_type *mfd,
|
|
break;
|
|
case metadata_op_get_ion_fd:
|
|
if (mfd->fb_ion_handle) {
|
|
+ get_dma_buf(mfd->fbmem_buf);
|
|
metadata->data.fbmem_ionfd =
|
|
dma_buf_fd(mfd->fbmem_buf, 0);
|
|
- if (metadata->data.fbmem_ionfd < 0)
|
|
+ if (metadata->data.fbmem_ionfd < 0) {
|
|
+ dma_buf_put(mfd->fbmem_buf);
|
|
pr_err("fd allocation failed. fd = %d\n",
|
|
metadata->data.fbmem_ionfd);
|
|
+ }
|
|
}
|
|
break;
|
|
case metadata_op_crc:
|