Commit 98eb96b9 authored Nov 13, 2013 by Colin Cross Committed by Mitchel Humpherys Jan 25, 2014

ion: fix crash when alloc len is -1



If userspace passes a length between -4095 and -1 to allocate it
will pass the len != 0 check, but when len is page aligned it will
be 0.  Check len after page aligning.

Drop the warning as well, userspace shouldn't be able to trigger
a warning in the kernel.

Change-Id: I96c7142637638991f3a9af9be7cfbb50f79f3803
Signed-off-by: Colin Cross <ccross@android.com>
Git-commit: 49bdc418a3c1129d49fe92d89cf77111584fb51f
Git-repo: http://android.googlesource.com/kernel/common/


Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>

parent 0d83a21b

drivers/staging/android/ion/ion.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -501,11 +501,11 @@ struct ion_handle ion_alloc(struct ion_client client, size_t len,
		* request of the caller allocate from it. Repeat until allocate has
		* succeeded or all heaps have been tried
		*/
		if (WARN_ON(!len))
		return ERR_PTR(-EINVAL);

		len = PAGE_ALIGN(len);

		if (!len)
		return ERR_PTR(-EINVAL);

		down_read(&dev->lock);
		plist_for_each_entry(heap, &dev->heaps, node) {
		/* if the caller didn't specify this heap id */