commit 25dc99c0731f50bd9d32a9938648a38efba53138
author Lee Jones <lee.jones@linaro.org> Tue Jan 25 14:18:08 2022 +0000
committer Maarten Derks <maarten@fairphone.com> Tue Apr 05 14:06:43 2022 +0200
tree a8d696d64ac4bcd4ef71f4a8a9e609aad7dd9009
parent f12157922320f91728ea32958ba76d281d2cbd7c

ion: Do not 'put' ION handle until after its final use

pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.

Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.

Issue: SEC-3341
Issue: SEC-3344
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c47385c73fced27375559d1a2eb10f165a0869b0)
Change-Id: Iedc75c5923e3e71974595bc79bb5c75220dc3226

drivers/gpu/ion/ion.c

diff --git a/drivers/gpu/ion/ion.c b/drivers/gpu/ion/ion.c
index 0571a2a..a0914d8 100644
--- a/drivers/gpu/ion/ion.c
+++ b/drivers/gpu/ion/ion.c
@@ -1447,9 +1447,9 @@
 
 		if (IS_ERR(handle))
 			return PTR_ERR(handle);
-		pass_to_user(handle);
 		data.handle = (ion_user_handle_t)handle->id;
 
+		pass_to_user(handle);
 		if (copy_to_user((void __user *)arg, &data, sizeof(data))) {
 			mutex_lock(&client->lock);
 			user_ion_free_nolock(client, handle);
@@ -1509,11 +1509,12 @@
 		if (IS_ERR(handle)) {
 			ret = PTR_ERR(handle);
 		} else {
+			data.handle = (ion_user_handle_t)handle->id;
 			handle = pass_to_user(handle);
-			if (IS_ERR(handle))
+			if (IS_ERR(handle)) {
 				ret = PTR_ERR(handle);
-			else
-				data.handle = (ion_user_handle_t)handle->id;
+				data.handle = 0;
+			}
 		}
 
 		if (copy_to_user((void __user *)arg, &data,