iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ion: Do not 'put' ION handle until after its final use

Browse Source 
pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.

Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.

Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Lee Jones 2022-01-25 14:18:08 +00:00 committed by Greg Kroah-Hartman
parent a8200613c8
commit c47385c73f
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/staging/android/ion/ion-ioctl.c
View File

@ -165,10 +165,9 @@ long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
data.allocation.flags, true);
if (IS_ERR(handle))
return PTR_ERR(handle);
pass_to_user(handle);
data.allocation.handle = handle->id;
cleanup_handle = handle;
pass_to_user(handle);
break;
}
case ION_IOC_FREE:
@ -212,11 +211,12 @@ long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
if (IS_ERR(handle)) {
ret = PTR_ERR(handle);
} else {
data.handle.handle = handle->id;
handle = pass_to_user(handle);
if (IS_ERR(handle))
if (IS_ERR(handle)) {
ret = PTR_ERR(handle);
else
data.handle.handle = handle->id;
data.handle.handle = 0;
}
}
break;
}