Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / c30d45ac0d79ef6214748c3e1742a2bca9583047
commitc30d45ac0d79ef6214748c3e1742a2bca9583047[log] [tgz]
authorDaniel Rosenberg <drosen@google.com>Wed Nov 02 17:43:51 2016 -0700
committerPatrick Daly <pdaly@codeaurora.org>Wed Mar 22 10:50:20 2017 -0700
tree912fe8756ed830eab9b0af48dae8a8d28d947ecd
parent53cf234779c4e0315b4296702a2196bc0e09002f [diff]
ion: Fix use after free during ION_IOC_ALLOC

If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.

This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.

Bug: 31568617
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Git-repo: https://android.googlesource.com/kernel/msm/
Git-commit: 20a5411d0115b16826f3d327b6abb0192c8a2001
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
1 file changed
tree: 912fe8756ed830eab9b0af48dae8a8d28d947ecd
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. AndroidKernel.mk
  29. build.config.goldfish.arm
  30. build.config.goldfish.arm64
  31. build.config.goldfish.mips
  32. build.config.goldfish.mips64
  33. build.config.goldfish.x86
  34. build.config.goldfish.x86_64
  35. COPYING
  36. CREDITS
  37. Kbuild
  38. Kconfig
  39. MAINTAINERS
  40. Makefile
  41. README
  42. REPORTING-BUGS