On Mon, Jan 24, 2022 at 04:12:41PM +0000, Lee Jones wrote: > From: Daniel Rosenberg <drosen@xxxxxxxxxx> > > If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC > on the just allocated id, and the copy_to_user fails, the cleanup > code will attempt to free an already freed handle. > > This adds a wrapper for ion_alloc that adds an ion_handle_get to > avoid this. > > Signed-off-by: Daniel Rosenberg <drosen@xxxxxxxxxx> > Signed-off-by: Dennis Cagle <d-cagle@xxxxxxxxxxxxxx> > Signed-off-by: Patrick Daly <pdaly@xxxxxxxxxxxxxx> > Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx> > --- > drivers/staging/android/ion/ion-ioctl.c | 14 +++++++++----- > drivers/staging/android/ion/ion.c | 15 ++++++++++++--- > drivers/staging/android/ion/ion.h | 4 ++++ > 3 files changed, 25 insertions(+), 8 deletions(-) What is the git commit id of this in Linus's tree (same for the other 2)? And why just 4.9? What about 4.14 and newer kernels? thanks, greg k-h
