Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit c029f955 authored by Nathan Chancellor's avatar Nathan Chancellor
Browse files

staging: ion: msm: Apply 2c155709 to msm_ion_custom_ioctl 



Commit 2c155709 ("staging: android: ion: fix ION_IOC_{MAP,SHARE}
use-after-free") removed the definition of ion_handle_get_by_id,
replacing it with a lockless version. Update msm_ion_custom_ioctl with
this new definition and locking scheme for completeness (it appears that
the ioctl does not suffer from the issue outlined by Greg Hackmann).

Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
parent 06928915

drivers/staging/android/ion/ion.c

+2 −2
Original line number Diff line number Diff line
@@ -420,7 +420,7 @@ static struct ion_handle *ion_handle_lookup(struct ion_client *client, 
	return ERR_PTR(-EINVAL);

}



static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,

struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,

					       int id)

{

	struct ion_handle *handle;

drivers/staging/android/ion/ion_priv.h

+2 −2
Original line number Diff line number Diff line
@@ -581,7 +581,7 @@ int ion_walk_heaps(struct ion_client *client, int heap_id, 
			enum ion_heap_type type, void *data,

			int (*f)(struct ion_heap *heap, void *data));



struct ion_handle *ion_handle_get_by_id(struct ion_client *client,

struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,

					       int id);



int ion_handle_put(struct ion_handle *handle);

drivers/staging/android/ion/msm/msm_ion.c

+4 −1
Original line number Diff line number Diff line
@@ -720,13 +720,16 @@ long msm_ion_custom_ioctl(struct ion_client *client, 
		struct mm_struct *mm = current->active_mm;



		if (data.flush_data.handle > 0) {

			handle = ion_handle_get_by_id(client,

			mutex_lock(&client->lock);

			handle = ion_handle_get_by_id_nolock(client,

						(int)data.flush_data.handle);

			if (IS_ERR(handle)) {

				mutex_unlock(&client->lock);

				pr_info("%s: Could not find handle: %d\n",

					__func__, (int)data.flush_data.handle);

				return PTR_ERR(handle);

			}

			mutex_unlock(&client->lock);

		} else {

			handle = ion_import_dma_buf(client, data.flush_data.fd);

			if (IS_ERR(handle)) {