ion: Do not 'put' ION handle until after its final use (a8e20ed6) · Commits · e / devices / android_kernel_fairphone_FP3

pass_to_user() eventually calls kref_put() on an ION handle which is still live, potentially allowing for it to be legitimately freed by the client. Prevent this from happening before its final use in both ION_IOC_ALLOC and ION_IOC_IMPORT. Signed-off-by:

Lee Jones <lee.jones@linaro.org> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ) Issue: FP3SEC-320 Change-Id: I658d8b13cce60b6d384fa0e630980f0d459ca52c (cherry picked from commit a84b980fcde59e2c1629723bb2aa1eedb78b83ab)

drivers/staging/android/ion/ion.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -1635,10 +1635,10 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
		data.allocation.flags, true);
		if (IS_ERR(handle))
		return PTR_ERR(handle);
		pass_to_user(handle);
		data.allocation.handle = handle->id;

		cleanup_handle = handle;
		pass_to_user(handle);
		break;
		}
		case ION_IOC_FREE:
		@@ -1683,11 +1683,12 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
		if (IS_ERR(handle)) {
		ret = PTR_ERR(handle);
		} else {
		data.handle.handle = handle->id;
		handle = pass_to_user(handle);
		if (IS_ERR(handle))
		if (IS_ERR(handle)) {
		ret = PTR_ERR(handle);
		else
		data.handle.handle = handle->id;
		data.handle.handle = 0;
		}
		}
		break;
		}