msm: mdss: Increase fbmem buf ref count before use in mdp3

The reference count for fbmem buf is not increased before use, which means it can be get freed unintentionally when the reference count is decreased to "0". In this case, there is possibility of use after free. Ensure that fbmem buf refcount is incremented before use mdp3 driver. Change-Id: I38787c27a26ae550c6fb28697a7583490ad19df8 Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
author: Sachin Bhayare <sachin.bhayare@codeaurora.org> 2018-04-12 18:57:52 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2018-05-09 05:32:43 -0700
commit: e9d6a3f0a7e45c63b81ec0fe64eed4d5aacbe22b (patch)
tree: deb2ec6d749de112c5393d11eb072bb72188cd6f
parent: 43fb4adbdcdb9c312cb53fdc93ee8fd81569b96d (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/video/fbdev/msm/mdp3_ctrl.c b/drivers/video/fbdev/msm/mdp3_ctrl.c
index dff8b63eea64..8a9e8acf6c0e 100644
--- a/drivers/video/fbdev/msm/mdp3_ctrl.c
+++ b/drivers/video/fbdev/msm/mdp3_ctrl.c
@@ -1564,12 +1564,15 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,
 		break;
 	case metadata_op_get_ion_fd:
 		if (mfd->fb_ion_handle && mfd->fb_ion_client) {
+			get_dma_buf(mfd->fbmem_buf);
 			metadata->data.fbmem_ionfd =
 				ion_share_dma_buf_fd(mfd->fb_ion_client,
 					mfd->fb_ion_handle);
-			if (metadata->data.fbmem_ionfd < 0)
+			if (metadata->data.fbmem_ionfd < 0) {
+				dma_buf_put(mfd->fbmem_buf);
 				pr_err("fd allocation failed. fd = %d\n",
-						metadata->data.fbmem_ionfd);
+					metadata->data.fbmem_ionfd);
+			}
 		}
 		break;
 	default:
author	Sachin Bhayare <sachin.bhayare@codeaurora.org>	2018-04-12 18:57:52 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2018-05-09 05:32:43 -0700
commit	e9d6a3f0a7e45c63b81ec0fe64eed4d5aacbe22b (patch)
tree	deb2ec6d749de112c5393d11eb072bb72188cd6f
parent	43fb4adbdcdb9c312cb53fdc93ee8fd81569b96d (diff)