Commit a1c3e3e0 authored by Archit Taneja's avatar Archit Taneja Committed by Rob Clark

drm/msm: mdp4: Fix drm_framebuffer dereference crash

mdp4_get_frame_format() can dereference a drm_framebuffer when it's NULL.
Call it in mdp4_plane_mode_set only when we know fb is non-NULL.
Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
parent ac451467
...@@ -220,13 +220,15 @@ static int mdp4_plane_mode_set(struct drm_plane *plane, ...@@ -220,13 +220,15 @@ static int mdp4_plane_mode_set(struct drm_plane *plane,
uint32_t op_mode = 0; uint32_t op_mode = 0;
uint32_t phasex_step = MDP4_VG_PHASE_STEP_DEFAULT; uint32_t phasex_step = MDP4_VG_PHASE_STEP_DEFAULT;
uint32_t phasey_step = MDP4_VG_PHASE_STEP_DEFAULT; uint32_t phasey_step = MDP4_VG_PHASE_STEP_DEFAULT;
enum mdp4_frame_format frame_type = mdp4_get_frame_format(fb); enum mdp4_frame_format frame_type;
if (!(crtc && fb)) { if (!(crtc && fb)) {
DBG("%s: disabled!", mdp4_plane->name); DBG("%s: disabled!", mdp4_plane->name);
return 0; return 0;
} }
frame_type = mdp4_get_frame_format(fb);
/* src values are in Q16 fixed point, convert to integer: */ /* src values are in Q16 fixed point, convert to integer: */
src_x = src_x >> 16; src_x = src_x >> 16;
src_y = src_y >> 16; src_y = src_y >> 16;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment