git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Daniel Rosenberg <drosen@google.com>
	Tue, 25 Jan 2022 14:18:06 +0000 (14:18 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 29 Jan 2022 09:15:58 +0000 (10:15 +0100)
commit	504e1d6ee65d5b5a053253ae62f46035d774353c
tree	4c7405288c36960fab2cfa32ed002e9830d84904	tree
parent	d47e16bb32239e4aecb3bb04bd9117016e4884fb	commit \| diff

ion: Fix use after free during ION_IOC_ALLOC

If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC
on the just allocated id, and the copy_to_user fails, the cleanup
code will attempt to free an already freed handle.

This adds a wrapper for ion_alloc that adds an ion_handle_get to
avoid this.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/staging/android/ion/ion-ioctl.c		diff \| blob \| blame \| history
drivers/staging/android/ion/ion.c		diff \| blob \| blame \| history
drivers/staging/android/ion/ion.h		diff \| blob \| blame \| history