From: Archit Taneja Date: Fri, 26 Jun 2015 10:19:43 +0000 (+0530) Subject: drm/msm: mdp4: Fix drm_framebuffer dereference crash X-Git-Tag: firefly_0821_release~176^2~1083^2~31^2~44 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=507d71b1fa91e2ea5887fcc347d5e71605e113f8;p=firefly-linux-kernel-4.4.55.git drm/msm: mdp4: Fix drm_framebuffer dereference crash mdp4_get_frame_format() can dereference a drm_framebuffer when it's NULL. Call it in mdp4_plane_mode_set only when we know fb is non-NULL. Signed-off-by: Archit Taneja Signed-off-by: Rob Clark --- diff --git a/drivers/gpu/drm/msm/mdp/mdp4/mdp4_plane.c b/drivers/gpu/drm/msm/mdp/mdp4/mdp4_plane.c index 0d1dbb737933..247a424445f7 100644 --- a/drivers/gpu/drm/msm/mdp/mdp4/mdp4_plane.c +++ b/drivers/gpu/drm/msm/mdp/mdp4/mdp4_plane.c @@ -220,13 +220,15 @@ static int mdp4_plane_mode_set(struct drm_plane *plane, uint32_t op_mode = 0; uint32_t phasex_step = MDP4_VG_PHASE_STEP_DEFAULT; uint32_t phasey_step = MDP4_VG_PHASE_STEP_DEFAULT; - enum mdp4_frame_format frame_type = mdp4_get_frame_format(fb); + enum mdp4_frame_format frame_type; if (!(crtc && fb)) { DBG("%s: disabled!", mdp4_plane->name); return 0; } + frame_type = mdp4_get_frame_format(fb); + /* src values are in Q16 fixed point, convert to integer: */ src_x = src_x >> 16; src_y = src_y >> 16;