Commit a1b61bc4 authored Jul 11, 2017 by Mishra Mahima Committed by Krishna Manikandan Jul 18, 2017

msm: mdss: Increase fbmem buf ref count before use



The reference count for fbmem buf is not increased before use,
which means it can be get freed unintentionally when the reference
count is decreased to "0". In this case, there is possibility of
use after free. Ensure that fbmem buf refcount is incremented
before use.

Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
Signed-off-by: Mishra Mahima <mahima@codeaurora.org>

parent 1a7276f0

drivers/video/msm/mdss/mdss_mdp_overlay.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -5215,13 +5215,16 @@ static int mdss_fb_get_metadata(struct msm_fb_data_type *mfd,
		break;
		case metadata_op_get_ion_fd:
		if (mfd->fb_ion_handle && mfd->fb_ion_client) {
		get_dma_buf(mfd->fbmem_buf);
		metadata->data.fbmem_ionfd =
		ion_share_dma_buf_fd(mfd->fb_ion_client,
		mfd->fb_ion_handle);
		if (metadata->data.fbmem_ionfd < 0)
		if (metadata->data.fbmem_ionfd < 0) {
		dma_buf_put(mfd->fbmem_buf);
		pr_err("fd allocation failed. fd = %d\n",
		metadata->data.fbmem_ionfd);
		}
		}
		break;
		case metadata_op_crc:
		ctl = mfd_to_ctl(mfd);