Google Git
Sign in
android / kernel / common / 504e1d6ee65d5
commit504e1d6ee65d5b5a053253ae62f46035d774353c[log] [tgz]
authorDaniel Rosenberg <drosen@google.com>Tue Jan 25 14:18:06 2022 +0000
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Sat Jan 29 10:15:58 2022 +0100
tree4c7405288c36960fab2cfa32ed002e9830d84904
parentd47e16bb32239e4aecb3bb04bd9117016e4884fb [diff]
ion: Fix use after free during ION_IOC_ALLOC

If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC
on the just allocated id, and the copy_to_user fails, the cleanup
code will attempt to free an already freed handle.

This adds a wrapper for ion_alloc that adds an ion_handle_get to
avoid this.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3 files changed
tree: 4c7405288c36960fab2cfa32ed002e9830d84904
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS