On Mon, 24 Jan 2022, Greg KH wrote: > On Mon, Jan 24, 2022 at 04:12:41PM +0000, Lee Jones wrote: > > From: Daniel Rosenberg <drosen@xxxxxxxxxx> > > > > If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC > > on the just allocated id, and the copy_to_user fails, the cleanup > > code will attempt to free an already freed handle. > > > > This adds a wrapper for ion_alloc that adds an ion_handle_get to > > avoid this. > > > > Signed-off-by: Daniel Rosenberg <drosen@xxxxxxxxxx> > > Signed-off-by: Dennis Cagle <d-cagle@xxxxxxxxxxxxxx> > > Signed-off-by: Patrick Daly <pdaly@xxxxxxxxxxxxxx> > > Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx> > > --- > > drivers/staging/android/ion/ion-ioctl.c | 14 +++++++++----- > > drivers/staging/android/ion/ion.c | 15 ++++++++++++--- > > drivers/staging/android/ion/ion.h | 4 ++++ > > 3 files changed, 25 insertions(+), 8 deletions(-) > > What is the git commit id of this in Linus's tree (same for the other > 2)? They are not in Linus' tree. These fixes only made it into Android for some reason. > And why just 4.9? What about 4.14 and newer kernels? The troublesome code was refactored before v4.14. -- Lee Jones [李琼斯] Principal Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog
