commit | 2e9efae734f949194a616bc9a08c71b2cd188997 | [log] [tgz] |
---|---|---|
author | Daniel Rosenberg <drosen@google.com> | Wed Nov 02 17:43:51 2016 -0700 |
committer | Ben Fennema <fennema@google.com> | Fri Aug 25 14:33:06 2017 -0700 |
tree | 3ebcb75605f846336acf14b0e038209624a03fa6 | |
parent | 0682eaefc21999ef7ba37bd96e9323879e55d9be [diff] |
ion: Fix use after free during ION_IOC_ALLOC If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC on the just allocated id, and the copy_to_user fails, the cleanup code will attempt to free an already freed handle. This adds a wrapper for ion_alloc that adds an ion_handle_get to avoid this. Bug: 31568617 Bug: 32987001 Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed Signed-off-by: Daniel Rosenberg <drosen@google.com>