diff options
| author | Sree Sesha Aravind Vadrevu <svadrevu@codeaurora.org> | 2013-06-11 15:53:04 -0700 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-23 20:18:17 -0700 |
| commit | fa306e774ce31e290c9eaf15bdd4799650dafd5e (patch) | |
| tree | 3fd892664fd3f47a9d85691cddc90572024bbbdd | |
| parent | 1c1b38afdd058bb602e14b2ca1d00cbc05402a2d (diff) | |
msm: mdss: Avoid null pointer dereferences
Null check on mfd param in overlay api needs to be performed
to avoid kernel panic.
CRs-fixed: 498973
Change-Id: If37284ab83bc678714fd8eed20f6adcb689846fa
Signed-off-by: Sree Sesha Aravind Vadrevu <svadrevu@codeaurora.org>
| -rw-r--r-- | drivers/video/fbdev/msm/mdss_mdp_overlay.c | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/drivers/video/fbdev/msm/mdss_mdp_overlay.c b/drivers/video/fbdev/msm/mdss_mdp_overlay.c index 43de734ca770..74e42dd08508 100644 --- a/drivers/video/fbdev/msm/mdss_mdp_overlay.c +++ b/drivers/video/fbdev/msm/mdss_mdp_overlay.c @@ -833,9 +833,14 @@ static int mdss_mdp_overlay_release(struct msm_fb_data_type *mfd, int ndx) static int mdss_mdp_overlay_unset(struct msm_fb_data_type *mfd, int ndx) { int ret = 0; - struct mdss_overlay_private *mdp5_data = mfd_to_mdp5_data(mfd); + struct mdss_overlay_private *mdp5_data; + + if (!mfd) + return -ENODEV; + + mdp5_data = mfd_to_mdp5_data(mfd); - if (!mfd || !mdp5_data->ctl) + if (!mdp5_data || !mdp5_data->ctl) return -ENODEV; ret = mutex_lock_interruptible(&mdp5_data->ov_lock); @@ -1158,14 +1163,18 @@ static void mdss_mdp_overlay_pan_display(struct msm_fb_data_type *mfd) struct mdss_mdp_data data; struct mdss_mdp_pipe *pipe; struct fb_info *fbi; - struct mdss_overlay_private *mdp5_data = mfd_to_mdp5_data(mfd); + struct mdss_overlay_private *mdp5_data; u32 offset; int bpp, ret; - if (!mfd || !mdp5_data->ctl) + if (!mfd) return; fbi = mfd->fbi; + mdp5_data = mfd_to_mdp5_data(mfd); + + if (!mdp5_data || !mdp5_data->ctl) + return; if (!fbi->fix.smem_start || fbi->fix.smem_len == 0 || mdp5_data->borderfill_enable) { @@ -1848,14 +1857,17 @@ static int mdss_mdp_overlay_ioctl_handler(struct msm_fb_data_type *mfd, static int mdss_mdp_overlay_on(struct msm_fb_data_type *mfd) { int rc; - struct mdss_overlay_private *mdp5_data = mfd_to_mdp5_data(mfd); - + struct mdss_overlay_private *mdp5_data; if (!mfd) return -ENODEV; if (mfd->key != MFD_KEY) return -EINVAL; + mdp5_data = mfd_to_mdp5_data(mfd); + if (!mdp5_data) + return -EINVAL; + if (!mdp5_data->ctl) { struct mdss_mdp_ctl *ctl; struct mdss_panel_data *pdata; @@ -1910,15 +1922,16 @@ static int mdss_mdp_overlay_on(struct msm_fb_data_type *mfd) static int mdss_mdp_overlay_off(struct msm_fb_data_type *mfd) { int rc; - struct mdss_overlay_private *mdp5_data = mfd_to_mdp5_data(mfd); - + struct mdss_overlay_private *mdp5_data; if (!mfd) return -ENODEV; if (mfd->key != MFD_KEY) return -EINVAL; - if (!mdp5_data->ctl) { + mdp5_data = mfd_to_mdp5_data(mfd); + + if (!mdp5_data || !mdp5_data->ctl) { pr_err("ctl not initialized\n"); return -ENODEV; } |