display: fbconfig use after free

[Detail]
add mutex protect list_add and list_del
to  avoid use after free

Change-Id: Ic7d02a5b97955eaee4d3684e13a4a67f3349b42b
Signed-off-by: Qinglong Chai <qinglong.chai@mediatek.com>
CR-Id: ALPS03275524
Feature: disp

1 files changed, 6 insertions, 0 deletions

diff --git a/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c b/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c
index 4e0bbaa5f..bf2b8ccb1 100644
--- a/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c
+++ b/drivers/misc/mediatek/videox/mt6735/fbconfig_kdebug_k2.c
@@ -105,6 +105,7 @@ static PM_TOOL_T pm_params=
 	.pLcm_params	=NULL,
 	.pLcm_drv=NULL,
 };
+struct mutex fb_config_lock;
 
 static void*pm_get_handle(void)
 {
@@ -212,6 +213,7 @@ static ssize_t fbconfig_open(struct inode *inode, struct file *file)
 {
 	PM_TOOL_T* pm_params;
    	file->private_data = inode->i_private;	
+	mutex_init(&fb_config_lock);
  	pm_params=(PM_TOOL_T*)pm_get_handle();	
 	PanelMaster_set_PM_enable(1);
 	pm_params->pLcm_drv=DISP_GetLcmDrv();
@@ -296,7 +298,9 @@ static long fbconfig_ioctl(struct file * file, unsigned int cmd, unsigned long a
 			printk("list_add: copy_from_user failed! line:%d \n", __LINE__);
 			return -EFAULT;
 		}
+		mutex_lock(&fb_config_lock);
 		list_add(&record_tmp_list->list,&head_list.list);
+		mutex_unlock(&fb_config_lock);
 /*		printk("add cmd:type:%d num:%d value:\r\n",record_tmp_list->record.type,record_tmp_list->record.ins_num);
 		for(i=0; i< record_tmp_list->record.ins_num; i++)
 			printk("0x%x\t",record_tmp_list->record.ins_array[i]);
@@ -307,9 +311,11 @@ static long fbconfig_ioctl(struct file * file, unsigned int cmd, unsigned long a
 	 case DRIVER_IC_CONFIG_DONE:
 	 {
 	//	print_from_head_to_tail();
+		mutex_lock(&fb_config_lock);
 		Panel_Master_dsi_config_entry("PM_DDIC_CONFIG",NULL); 
 		/*free the memory .....*/
 		free_list_memory();
+		mutex_unlock(&fb_config_lock);
 		return 0;
 	 }	
 	 case MIPI_SET_CC: