ion: Fix use after free during ION_IOC_ALLOC
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC on the just allocated id, and the copy_to_user fails, the cleanup code will attempt to free an already freed handle. This adds a wrapper for ion_alloc that adds an ion_handle_get to avoid this. Signed-off-by:Daniel Rosenberg <drosen@google.com> Signed-off-by:
Dennis Cagle <d-cagle@codeaurora.org> Signed-off-by:
Patrick Daly <pdaly@codeaurora.org> Signed-off-by:
Lee Jones <lee.jones@linaro.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Loading
Please register or sign in to comment
