From: Lee Jones <lee.jones@xxxxxxxxxx>
pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.
Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.
Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/staging/android/ion/ion-ioctl.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/staging/android/ion/ion-ioctl.c
+++ b/drivers/staging/android/ion/ion-ioctl.c
@@ -165,10 +165,9 @@ long ion_ioctl(struct file *filp, unsign
data.allocation.flags, true);
if (IS_ERR(handle))
return PTR_ERR(handle);
- pass_to_user(handle);
data.allocation.handle = handle->id;
-
cleanup_handle = handle;
+ pass_to_user(handle);
break;
}
case ION_IOC_FREE:
@@ -212,11 +211,12 @@ long ion_ioctl(struct file *filp, unsign
if (IS_ERR(handle)) {
ret = PTR_ERR(handle);
} else {
+ data.handle.handle = handle->id;
handle = pass_to_user(handle);
- if (IS_ERR(handle))
+ if (IS_ERR(handle)) {
ret = PTR_ERR(handle);
- else
- data.handle.handle = handle->id;
+ data.handle.handle = 0;
+ }
}
break;
}
