gpu: ion: Validate handles passed via the kernel api
Before freeing or sharing handles, confirm that they
are valid in the provided client
Change-Id: I06ec599c0b277fcb5417325a12ecbf8b2d248a7b
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
diff --git a/drivers/gpu/ion/ion.c b/drivers/gpu/ion/ion.c
index 1c25940..9cb5b25 100644
--- a/drivers/gpu/ion/ion.c
+++ b/drivers/gpu/ion/ion.c
@@ -333,6 +333,18 @@
void ion_free(struct ion_client *client, struct ion_handle *handle)
{
+ bool valid_handle;
+
+ BUG_ON(client != handle->client);
+
+ mutex_lock(&client->lock);
+ valid_handle = ion_handle_validate(client, handle);
+ mutex_unlock(&client->lock);
+
+ if (!valid_handle) {
+ WARN("%s: invalid handle passed to free.\n", __func__);
+ return;
+ }
ion_handle_put(handle);
}
@@ -500,6 +512,16 @@
struct ion_buffer *ion_share(struct ion_client *client,
struct ion_handle *handle)
{
+ bool valid_handle;
+
+ mutex_lock(&client->lock);
+ valid_handle = ion_handle_validate(client, handle);
+ mutex_unlock(&client->lock);
+ if (!valid_handle) {
+ WARN("%s: invalid handle passed to share.\n", __func__);
+ return ERR_PTR(-EINVAL);
+ }
+
/* don't not take an extra refernce here, the burden is on the caller
* to make sure the buffer doesn't go away while it's passing it
* to another client -- ion_free should not be called on this handle