msm: mdp3: fix the use after free problem

currently the fdget is failed and freed in mdp3_get_img, and again same is freed in mdp3_put_img function. This can cause a use after free issue. Change-Id: Ic2ad97a201d36b2bb49d3fdc93bb19ce089b6cb4 Signed-off-by: Raghavendra Ambadas <quic_c_rambad@quicinc.com> Signed-off-by: srikanthreddy ponogoti <quic_sponogot@quicinc.com>
2022-03-29 22:37:30 +05:30
parent 802ccb9d87
commit faf7f0ed58
1 changed files with 1 additions and 6 deletions
--- a/drivers/video/fbdev/msm/mdp3.c
+++ b/drivers/video/fbdev/msm/mdp3.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
 * Copyright (C) 2007 Google Incorporated
 *
 * This software is licensed under the terms of the GNU General Public
@@ -1397,17 +1398,12 @@ int mdp3_get_img(struct msmfb_data *img, struct mdp3_img_data *data, int client)
 							&data->len, fb_num);
 			if (ret) {
 				pr_err("mdss_fb_get_phys_info() failed\n");
-				fdput(f);
-				memset(&f, 0, sizeof(struct fd));
 			}
 		} else {
 			pr_err("invalid FB_MAJOR\n");
-			fdput(f);
 			ret = -EINVAL;
 		}
 		data->srcp_f = f;
-		if (!ret)
-			goto done;
 	} else if (iclient) {
 		data->srcp_dma_buf = dma_buf_get(img->memory_id);
 			if (IS_ERR(data->srcp_dma_buf)) {
@@ -1463,7 +1459,6 @@ int mdp3_get_img(struct msmfb_data *img, struct mdp3_img_data *data, int client)
 		data->mapped = true;
 		data->skip_detach = false;
 	}
-done:
 	if (client ==  MDP3_CLIENT_PPP || client == MDP3_CLIENT_DMA_P) {
 		data->addr  += data->tab_clone->sgl->length;
 		data->len   -= data->tab_clone->sgl->length;