ion: Do not 'put' ION handle until after its final use
pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.
Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.
Issue: SEC-3341
Issue: SEC-3344
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c47385c73fced27375559d1a2eb10f165a0869b0)
Change-Id: Iedc75c5923e3e71974595bc79bb5c75220dc3226
diff --git a/drivers/gpu/ion/ion.c b/drivers/gpu/ion/ion.c
index 0571a2a..a0914d8 100644
--- a/drivers/gpu/ion/ion.c
+++ b/drivers/gpu/ion/ion.c
@@ -1447,9 +1447,9 @@
if (IS_ERR(handle))
return PTR_ERR(handle);
- pass_to_user(handle);
data.handle = (ion_user_handle_t)handle->id;
+ pass_to_user(handle);
if (copy_to_user((void __user *)arg, &data, sizeof(data))) {
mutex_lock(&client->lock);
user_ion_free_nolock(client, handle);
@@ -1509,11 +1509,12 @@
if (IS_ERR(handle)) {
ret = PTR_ERR(handle);
} else {
+ data.handle = (ion_user_handle_t)handle->id;
handle = pass_to_user(handle);
- if (IS_ERR(handle))
+ if (IS_ERR(handle)) {
ret = PTR_ERR(handle);
- else
- data.handle = (ion_user_handle_t)handle->id;
+ data.handle = 0;
+ }
}
if (copy_to_user((void __user *)arg, &data,