Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

msm: display: check get_unused_fd_flags return val

Browse source 
Not checking the error code, which might be negative, will cause us to wrongly
reference fdt[fd] by using the error code, causing kernel panic in fd_install.

Change-Id: I1f8e68e74bdbdd5b81bc3450f7d93b5cd96c9439
Signed-off-by: Iliyan Malchev <malchev@google.com>
Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
This commit is contained in:
Devin Kim 2012-11-12 13:58:26 -08:00 committed by Stephen Boyd
parent 4a0aea3355
commit 014c77fcd6
1 changed files with 17 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
drivers/video/msm/msm_fb.c
View file

@ -3613,18 +3613,24 @@ static int msmfb_handle_buf_sync_ioctl(struct msm_fb_data_type *mfd,
}
/* create fd */
mfd->cur_rel_fen_fd = get_unused_fd_flags(0);
if (mfd->cur_rel_fen_fd < 0) {
pr_err("%s: get_unused_fd_flags failed", __func__);
ret = -EIO;
goto buf_sync_err_2;
}
sync_fence_install(mfd->cur_rel_fence, mfd->cur_rel_fen_fd);
ret = copy_to_user(buf_sync->rel_fen_fd,
&mfd->cur_rel_fen_fd, sizeof(int));
if (ret) {
pr_err("%s:copy_to_user failed", __func__);
goto buf_sync_err_2;
goto buf_sync_err_3;
}
mutex_unlock(&mfd->sync_mutex);
return ret;
buf_sync_err_3:
put_unused_fd(mfd->cur_rel_fen_fd);
buf_sync_err_2:
sync_fence_put(mfd->cur_rel_fence);
put_unused_fd(mfd->cur_rel_fen_fd);
mfd->cur_rel_fence = NULL;
mfd->cur_rel_fen_fd = 0;
buf_sync_err_1:
@ -3679,6 +3685,11 @@ static int buf_fence_process(struct msm_fb_data_type *mfd,
}
/* create fd */
mfd->cur_rel_fen_fd = get_unused_fd_flags(0);
if (mfd->cur_rel_fen_fd < 0) {
pr_err("%s: get_unused_fd_flags failed", __func__);
ret = -EIO;
goto buf_fence_err_2;
}
sync_fence_install(mfd->cur_rel_fence, mfd->cur_rel_fen_fd);
buf_fence->rel_fen_fd[0] = mfd->cur_rel_fen_fd;
/* Only one released fd for now, -1 indicates an end */
@ -3686,6 +3697,10 @@ static int buf_fence_process(struct msm_fb_data_type *mfd,
mfd->acq_fen_cnt = buf_fence->acq_fen_fd_cnt;
mutex_unlock(&mfd->sync_mutex);
return ret;
buf_fence_err_2:
sync_fence_put(mfd->cur_rel_fence);
mfd->cur_rel_fence = NULL;
mfd->cur_rel_fen_fd = 0;
buf_fence_err_1:
for (i = 0; i < fence_cnt; i++)
sync_fence_put(mfd->acq_fen[i]);