From: Hans de Goede <hdegoede@redhat.com>
Date: Tue, 18 Sep 2018 17:44:36 +0000 (+0200)
Subject: staging: vboxvideo: Fix NULL ptr deref in vbox_set_up_input_mapping()
X-Git-Tag: v5.4-rc1~2324^2~316
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=114094c83ed334524ee1a50bd8c08425f361148b;p=platform%2Fkernel%2Flinux-rpi.git

staging: vboxvideo: Fix NULL ptr deref in vbox_set_up_input_mapping()

When vbox_set_up_input_mapping() gets called the first crtc might be
disable and not have a fb at all, triggering a NUL ptr deref at:

			vbox->input_mapping_width = CRTC_FB(crtci)->width;

Instead of using the fb from the crtc with id 0, just use the fb from
the first crtc with a fb. This is in the single_framebuffer = true path,
so all crtc-s point to the same fb anyways.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/vboxvideo/vbox_mode.c b/drivers/staging/vboxvideo/vbox_mode.c
index 1a2416a..910ea19 100644
--- a/drivers/staging/vboxvideo/vbox_mode.c
+++ b/drivers/staging/vboxvideo/vbox_mode.c
@@ -189,17 +189,17 @@ static bool vbox_set_up_input_mapping(struct vbox_private *vbox)
 		}
 	}
 	if (single_framebuffer) {
+		vbox->single_framebuffer = true;
 		list_for_each_entry(crtci, &vbox->ddev.mode_config.crtc_list,
 				    head) {
-			if (to_vbox_crtc(crtci)->crtc_id != 0)
+			if (!CRTC_FB(crtci))
 				continue;
 
-			vbox->single_framebuffer = true;
 			vbox->input_mapping_width = CRTC_FB(crtci)->width;
 			vbox->input_mapping_height = CRTC_FB(crtci)->height;
-			return old_single_framebuffer !=
-			       vbox->single_framebuffer;
+			break;
 		}
+		return old_single_framebuffer != vbox->single_framebuffer;
 	}
 	/* Otherwise calculate the total span of all screens. */
 	list_for_each_entry(connectori, &vbox->ddev.mode_config.connector_list,