From 99e2a21625d7228f2d61da6e09c701fb4f836ca8 Mon Sep 17 00:00:00 2001
From: Mark Yao <mark.yao@rock-chips.com>
Date: Sun, 26 Jun 2016 21:49:21 -0400
Subject: drm_gralloc: fix random crash with wildpointer

two drm handle may use same bo, but there is no
reference protect. if one of the drm handle release
the bo, another handle's bo become a wildpointer,
any read/write on the wildpointer will cause system
unstable, crash.

Change-Id: Ieaca522e3372dba82c48961499b9b657ca33cd15
Signed-off-by: Mark Yao <mark.yao@rock-chips.com>
---
 gralloc_drm.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gralloc_drm.cpp b/gralloc_drm.cpp
index 6f90a84..b0328b0 100644
--- a/gralloc_drm.cpp
+++ b/gralloc_drm.cpp
@@ -194,7 +194,15 @@ static struct gralloc_drm_bo_t *validate_handle(buffer_handle_t _handle,
  */
 int gralloc_drm_handle_register(buffer_handle_t handle, struct gralloc_drm_t *drm)
 {
-	return (validate_handle(handle, drm)) ? 0 : -EINVAL;
+	struct gralloc_drm_bo_t *bo;
+
+	bo = validate_handle(handle, drm);
+	if (!bo)
+		return -EINVAL;
+
+	bo->refcount++;
+
+	return 0;
 }
 
 /*
@@ -208,6 +216,7 @@ int gralloc_drm_handle_unregister(buffer_handle_t handle)
 	if (!bo)
 		return -EINVAL;
 
+	gralloc_drm_bo_decref(bo);
 	if (bo->imported)
 		gralloc_drm_bo_decref(bo);
 
-- 
cgit v1.2.3