On Tue, Jan 25, 2022 at 02:18:06PM +0000, Lee Jones wrote: > From: Daniel Rosenberg <drosen@xxxxxxxxxx> > > If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC > on the just allocated id, and the copy_to_user fails, the cleanup > code will attempt to free an already freed handle. > > This adds a wrapper for ion_alloc that adds an ion_handle_get to > avoid this. > > Signed-off-by: Daniel Rosenberg <drosen@xxxxxxxxxx> > Signed-off-by: Dennis Cagle <d-cagle@xxxxxxxxxxxxxx> > Signed-off-by: Patrick Daly <pdaly@xxxxxxxxxxxxxx> > Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx> > --- > > NB: These are Android patches that were not sent to Mainline. > > Only v4.9 is affected by these issues due to refactoring. All now queued up, thanks. greg k-h
