39 lines
1.4 KiB
Diff

From a42f6e19316e9e5aaaf8bd2c3bec25fde136dcaa Mon Sep 17 00:00:00 2001
From: Jayant Shekhar <jshekhar@codeaurora.org>
Date: Thu, 22 Jun 2017 11:46:47 +0530
Subject: [PATCH] msm: mdss: Increase fbmem buf ref count before use
The reference count for fbmem buf is not increased before use,
which means it can be get freed unintentionally when the reference
count is decreased to "0". In this case, there is possibility of
use after free. Ensure that fbmem buf refcount is incremented
before use.
Bug: 37093119
Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
---
drivers/video/msm/mdss/mdss_mdp_overlay.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
index 86c6196432e10..4ab89d11d1daa 100644
--- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
+++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
@@ -3917,11 +3917,14 @@ static int mdss_fb_get_metadata(struct msm_fb_data_type *mfd,
break;
case metadata_op_get_ion_fd:
if (mfd->fb_ion_handle) {
+ get_dma_buf(mfd->fbmem_buf);
metadata->data.fbmem_ionfd =
dma_buf_fd(mfd->fbmem_buf, 0);
- if (metadata->data.fbmem_ionfd < 0)
+ if (metadata->data.fbmem_ionfd < 0) {
+ dma_buf_put(mfd->fbmem_buf);
pr_err("fd allocation failed. fd = %d\n",
metadata->data.fbmem_ionfd);
+ }
}
break;
case metadata_op_crc: