When vbox_set_up_input_mapping() gets called the first crtc might be
disable and not have a fb at all, triggering a NUL ptr deref at:
vbox->input_mapping_width = CRTC_FB(crtci)->width;
Instead of using the fb from the crtc with id 0, just use the fb from
the first crtc with a fb. This is in the single_framebuffer = true path,
so all crtc-s point to the same fb anyways.
Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
---
drivers/staging/vboxvideo/vbox_mode.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/vboxvideo/vbox_mode.c b/drivers/staging/vboxvideo/vbox_mode.c
index 1a2416a59fe0..910ea19931c9 100644
--- a/drivers/staging/vboxvideo/vbox_mode.c
+++ b/drivers/staging/vboxvideo/vbox_mode.c
@@ -189,17 +189,17 @@ static bool vbox_set_up_input_mapping(struct vbox_private *vbox)
}
}
if (single_framebuffer) {
+ vbox->single_framebuffer = true;
list_for_each_entry(crtci, &vbox->ddev.mode_config.crtc_list,
head) {
- if (to_vbox_crtc(crtci)->crtc_id != 0)
+ if (!CRTC_FB(crtci))
continue;
- vbox->single_framebuffer = true;
vbox->input_mapping_width = CRTC_FB(crtci)->width;
vbox->input_mapping_height = CRTC_FB(crtci)->height;
- return old_single_framebuffer !=
- vbox->single_framebuffer;
+ break;
}
+ return old_single_framebuffer != vbox->single_framebuffer;
}
/* Otherwise calculate the total span of all screens. */
list_for_each_entry(connectori, &vbox->ddev.mode_config.connector_list,
--
2.19.0.rc1
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
