staging: vboxvideo: Fix NULL ptr deref in vbox_set_up_input_mapping()

When vbox_set_up_input_mapping() gets called the first crtc might be
disable and not have a fb at all, triggering a NUL ptr deref at:

			vbox->input_mapping_width = CRTC_FB(crtci)->width;

Instead of using the fb from the crtc with id 0, just use the fb from
the first crtc with a fb. This is in the single_framebuffer = true path,
so all crtc-s point to the same fb anyways.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/vboxvideo/vbox_mode.c b/drivers/staging/vboxvideo/vbox_mode.c
index 1a2416a..910ea19 100644 (file)
--- a/drivers/staging/vboxvideo/vbox_mode.c
+++ b/drivers/staging/vboxvideo/vbox_mode.c
@@ -189,17 +189,17 @@ static bool vbox_set_up_input_mapping(struct vbox_private *vbox)
                }
        }
        if (single_framebuffer) {
+               vbox->single_framebuffer = true;
                list_for_each_entry(crtci, &vbox->ddev.mode_config.crtc_list,
                                    head) {
-                       if (to_vbox_crtc(crtci)->crtc_id != 0)
+                       if (!CRTC_FB(crtci))
                                continue;
 
-                       vbox->single_framebuffer = true;
                        vbox->input_mapping_width = CRTC_FB(crtci)->width;
                        vbox->input_mapping_height = CRTC_FB(crtci)->height;
-                       return old_single_framebuffer !=
-                              vbox->single_framebuffer;
+                       break;
                }
+               return old_single_framebuffer != vbox->single_framebuffer;
        }
        /* Otherwise calculate the total span of all screens. */
        list_for_each_entry(connectori, &vbox->ddev.mode_config.connector_list,