On Tue, Jan 25, 2022 at 09:21:24AM +0000, Lee Jones wrote: > On Mon, 24 Jan 2022, Greg KH wrote: > > > On Mon, Jan 24, 2022 at 04:12:41PM +0000, Lee Jones wrote: > > > From: Daniel Rosenberg <drosen@xxxxxxxxxx> > > > > > > If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC > > > on the just allocated id, and the copy_to_user fails, the cleanup > > > code will attempt to free an already freed handle. > > > > > > This adds a wrapper for ion_alloc that adds an ion_handle_get to > > > avoid this. > > > > > > Signed-off-by: Daniel Rosenberg <drosen@xxxxxxxxxx> > > > Signed-off-by: Dennis Cagle <d-cagle@xxxxxxxxxxxxxx> > > > Signed-off-by: Patrick Daly <pdaly@xxxxxxxxxxxxxx> > > > Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx> > > > --- > > > drivers/staging/android/ion/ion-ioctl.c | 14 +++++++++----- > > > drivers/staging/android/ion/ion.c | 15 ++++++++++++--- > > > drivers/staging/android/ion/ion.h | 4 ++++ > > > 3 files changed, 25 insertions(+), 8 deletions(-) > > > > What is the git commit id of this in Linus's tree (same for the other > > 2)? > > They are not in Linus' tree. > > These fixes only made it into Android for some reason. > > > And why just 4.9? What about 4.14 and newer kernels? > > The troublesome code was refactored before v4.14. Then that needs to be said here in the changelog text please. thanks, greg k-h
