diff options
author | Lee Jones <lee.jones@linaro.org> | 2022-01-25 14:18:08 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-01-29 10:15:58 +0100 |
commit | c47385c73fced27375559d1a2eb10f165a0869b0 (patch) | |
tree | 1e6820d8f09d750e1c4fce56115d35cfe3ef17e6 | |
parent | a8200613c8c9fbaf7b55d4d438376ebaf0c4ce7e (diff) |
ion: Do not 'put' ION handle until after its final use
pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.
Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/staging/android/ion/ion-ioctl.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/staging/android/ion/ion-ioctl.c b/drivers/staging/android/ion/ion-ioctl.c index d47e9b4171e2..a27865b94416 100644 --- a/drivers/staging/android/ion/ion-ioctl.c +++ b/drivers/staging/android/ion/ion-ioctl.c @@ -165,10 +165,9 @@ long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) data.allocation.flags, true); if (IS_ERR(handle)) return PTR_ERR(handle); - pass_to_user(handle); data.allocation.handle = handle->id; - cleanup_handle = handle; + pass_to_user(handle); break; } case ION_IOC_FREE: @@ -212,11 +211,12 @@ long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (IS_ERR(handle)) { ret = PTR_ERR(handle); } else { + data.handle.handle = handle->id; handle = pass_to_user(handle); - if (IS_ERR(handle)) + if (IS_ERR(handle)) { ret = PTR_ERR(handle); - else - data.handle.handle = handle->id; + data.handle.handle = 0; + } } break; } |