ANDROID: staging: ion: Fix potential memory corruption
ion_dma_buf_unmap() interprets the priv pointer in the attachment structure as a pointer to an ion_dma_buf_attachment structure, and modifies the "mapped" field of that structure. In cases where the heap specifies its own dma-buf ops, this is not correct, as the priv pointer in the attachment structure may point to a structure that is not an ion_dma_buf_attachment structure, and thus, the current implementation of ion_dma_buf_unmap() will modify the unknown structure--potentially putting it in an inconsistent state--prior to calling the heap's dma-buf unmap operation. Thus, modify the structure pointed to by the priv field in the attachment structure only if the heap doesn't provide its own implementation of the unmap operation, as that guarantees that the priv field points to an ion_dma_buf_attachment structure. Bug: 157163668 Change-Id: If79a90ae1ca54762bbead6e23518b21076efd44b Signed-off-by:Isaac J. Manjarres <isaacm@codeaurora.org> (cherry picked from commit 01b0584902c56d12569423ef8cdb37d3a132a629) Signed-off-by:
Loading
Please register or sign in to comment