From ad3b81ed30d3578ca9f69028fdbbc6b60541666a Mon Sep 17 00:00:00 2001
From: Lei Chen <chenlei@codeaurora.org>
Date: Thu, 9 Sep 2021 14:18:15 +0800
Subject: [PATCH] disp: msm: qpic: fix kw issues in QPIC display driver

This change is updated to address use after free and null checks
in QPIC display driver.

Change-Id: I97f1d941de69aad3d49cbf0c9782022b8f7db840
Signed-off-by: Lei Chen <chenlei@codeaurora.org>
---
 tinydrm/qpic_display.c       | 18 +++++++++++++-----
 tinydrm/qpic_display.h       |  2 +-
 tinydrm/qpic_panel_ili9341.c |  2 +-
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/tinydrm/qpic_display.c b/tinydrm/qpic_display.c
index d000751bdd76..d32241db2b2c 100644
--- a/tinydrm/qpic_display.c
+++ b/tinydrm/qpic_display.c
@@ -918,14 +918,22 @@ static const struct drm_mode_config_funcs qpic_mode_config_funcs = {
 static void qpic_display_fb_mark_dirty(struct drm_framebuffer *fb, struct drm_rect *rect)
 {
 	u32 size;
-	struct drm_gem_cma_object *cma_obj = drm_fb_cma_get_gem_obj(fb, 0);
-	struct dma_buf_attachment *import_attach = cma_obj->base.import_attach;
+	struct drm_gem_cma_object *cma_obj = NULL;
+	struct dma_buf_attachment *import_attach = NULL;
 	struct qpic_display_data *qpic_display = fb->dev->dev_private;
 
 	if (!qpic_display->is_qpic_on || !qpic_display->is_panel_on) {
 		pr_info("%s: qpic or panel is not enabled\n", __func__);
 		return;
 	}
+
+	cma_obj = drm_fb_cma_get_gem_obj(fb, 0);
+	if (!cma_obj) {
+		pr_err("failed to get gem obj\n");
+		return;
+	}
+	import_attach = cma_obj->base.import_attach;
+
 	/* currently QPIC display SW can't support partial updates */
 	rect->x1 = 0;
 	rect->x2 = fb->width;
@@ -1194,7 +1202,7 @@ int qpic_display_get_resource(struct qpic_display_data *qpic_display)
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "qpic_base");
 	if (!res) {
 		pr_err("unable to get QPIC reg base address\n");
-		rc = -ENOMEM;
+		return -ENOMEM;
 	}
 
 	qpic_display->qpic_reg_size = resource_size(res);
@@ -1202,7 +1210,7 @@ int qpic_display_get_resource(struct qpic_display_data *qpic_display)
 					qpic_display->qpic_reg_size);
 	if (unlikely(!qpic_display->qpic_base)) {
 		pr_err("unable to map MDSS QPIC base\n");
-		rc = -ENOMEM;
+		return -ENOMEM;
 	}
 	qpic_display->qpic_phys = res->start;
 	pr_info("MDSS QPIC HW Base phy_Address=0x%x virt=0x%x\n",
@@ -1212,7 +1220,7 @@ int qpic_display_get_resource(struct qpic_display_data *qpic_display)
 	res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
 	if (!res) {
 		pr_err("unable to get QPIC irq\n");
-		rc = -ENODEV;
+		return -ENODEV;
 	}
 
 	qpic_display->qpic_clk = devm_clk_get(&pdev->dev, "core_clk");
diff --git a/tinydrm/qpic_display.h b/tinydrm/qpic_display.h
index 7e5af6e3a885..a91a99ba77b1 100644
--- a/tinydrm/qpic_display.h
+++ b/tinydrm/qpic_display.h
@@ -132,6 +132,6 @@ struct qpic_display_data {
 
 };
 
-int get_ili_qvga_panel_config(struct qpic_display_data *qpic_display);
+void get_ili_qvga_panel_config(struct qpic_display_data *qpic_display);
 
 #endif
diff --git a/tinydrm/qpic_panel_ili9341.c b/tinydrm/qpic_panel_ili9341.c
index 757dfd2a7371..db47abbf8172 100644
--- a/tinydrm/qpic_panel_ili9341.c
+++ b/tinydrm/qpic_panel_ili9341.c
@@ -76,7 +76,7 @@ static struct qpic_panel_config ili_qvga_panel = {
 	.bpp = 16,
 };
 
-int get_ili_qvga_panel_config(struct qpic_display_data *qpic_display)
+void get_ili_qvga_panel_config(struct qpic_display_data *qpic_display)
 {
 	qpic_display->panel_config = &ili_qvga_panel;
 	qpic_display->panel_on = ili9341_on;