Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dad12176 authored by Isaac J. Manjarres's avatar Isaac J. Manjarres Committed by Hridya Valsaraju
Browse files

ANDROID: staging: ion: Fix potential memory corruption



ion_dma_buf_unmap() interprets the priv pointer in the
attachment structure as a pointer to an ion_dma_buf_attachment
structure, and modifies the "mapped" field of that structure.

In cases where the heap specifies its own dma-buf ops, this
is not correct, as the priv pointer in the attachment structure
may point to a structure that is not an ion_dma_buf_attachment
structure, and thus, the current implementation of
ion_dma_buf_unmap() will modify the unknown structure--potentially
putting it in an inconsistent state--prior to calling the heap's
dma-buf unmap operation.

Thus, modify the structure pointed to by the priv field in the
attachment structure only if the heap doesn't provide its own
implementation of the unmap operation, as that guarantees that
the priv field points to an ion_dma_buf_attachment structure.

Bug: 157163668
Change-Id: If79a90ae1ca54762bbead6e23518b21076efd44b
Signed-off-by: default avatarIsaac J. Manjarres <isaacm@codeaurora.org>
(cherry picked from commit 01b0584902c56d12569423ef8cdb37d3a132a629)
Signed-off-by: default avatarHridya Valsaraju <hridya@google.com>
parent 48675044
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment