From a9d0cbf474511070c13990b1a1ba7a22bba62b8e Mon Sep 17 00:00:00 2001
From: Mark Yao <mark.yao@rock-chips.com>
Date: Sun, 26 Jun 2016 21:49:21 -0400
Subject: drm_gralloc: fix random crash with wildpointer

two drm handle may use same bo, but there is no
reference protect. if one of the drm handle release
the bo, another handle's bo become a wildpointer,
any read/write on the wildpointer will cause system
unstable, crash.

Change-Id: Ieaca522e3372dba82c48961499b9b657ca33cd15
Signed-off-by: Mark Yao <mark.yao@rock-chips.com>
---
 gralloc_drm.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gralloc_drm.c b/gralloc_drm.c
index 23815bb..40342cb 100644
--- a/gralloc_drm.c
+++ b/gralloc_drm.c
@@ -235,7 +235,15 @@ static struct gralloc_drm_bo_t *validate_handle(buffer_handle_t _handle,
  */
 int gralloc_drm_handle_register(buffer_handle_t handle, struct gralloc_drm_t *drm)
 {
-	return (validate_handle(handle, drm)) ? 0 : -EINVAL;
+	struct gralloc_drm_bo_t *bo;
+
+	bo = validate_handle(handle, drm);
+	if (!bo)
+		return -EINVAL;
+
+	bo->refcount++;
+
+	return 0;
 }
 
 /*
@@ -249,6 +257,7 @@ int gralloc_drm_handle_unregister(buffer_handle_t handle)
 	if (!bo)
 		return -EINVAL;
 
+	gralloc_drm_bo_decref(bo);
 	if (bo->imported)
 		gralloc_drm_bo_decref(bo);
 
-- 
cgit v1.1