msm: mdss: Increase fbmem buf ref count before use in mdp3

The reference count for fbmem buf is not increased before use,
which means it can be get freed unintentionally when the reference
count is decreased to "0". In this case, there is possibility of
use after free. Ensure that fbmem buf refcount is incremented
before use mdp3 driver.

Change-Id: I38787c27a26ae550c6fb28697a7583490ad19df8
Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>

diff --git a/drivers/video/fbdev/msm/mdp3_ctrl.c b/drivers/video/fbdev/msm/mdp3_ctrl.c
index dff8b63..8a9e8ac 100644 (file)
--- a/drivers/video/fbdev/msm/mdp3_ctrl.c
+++ b/drivers/video/fbdev/msm/mdp3_ctrl.c
@@ -1564,12 +1564,15 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,
                break;
        case metadata_op_get_ion_fd:
                if (mfd->fb_ion_handle && mfd->fb_ion_client) {
+                       get_dma_buf(mfd->fbmem_buf);
                        metadata->data.fbmem_ionfd =
                                ion_share_dma_buf_fd(mfd->fb_ion_client,
                                        mfd->fb_ion_handle);
-                       if (metadata->data.fbmem_ionfd < 0)
+                       if (metadata->data.fbmem_ionfd < 0) {
+                               dma_buf_put(mfd->fbmem_buf);
                                pr_err("fd allocation failed. fd = %d\n",
-                                               metadata->data.fbmem_ionfd);
+                                       metadata->data.fbmem_ionfd);
+                       }
                }
                break;
        default: