Commit a14baf71 authored Dec 13, 2013 by Colin Cross Committed by Greg Kroah-Hartman Dec 14, 2013

ion: fix crash when alloc len is -1



If userspace passes a length between -4095 and -1 to allocate it
will pass the len != 0 check, but when len is page aligned it will
be 0.  Check len after page aligning.

Drop the warning as well, userspace shouldn't be able to trigger
a warning in the kernel.

Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 83271f62

drivers/staging/android/ion/ion.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -485,11 +485,11 @@ struct ion_handle ion_alloc(struct ion_client client, size_t len,
		* request of the caller allocate from it. Repeat until allocate has
		* succeeded or all heaps have been tried
		*/
		if (WARN_ON(!len))
		return ERR_PTR(-EINVAL);

		len = PAGE_ALIGN(len);

		if (!len)
		return ERR_PTR(-EINVAL);

		down_read(&dev->lock);
		plist_for_each_entry(heap, &dev->heaps, node) {
		/* if the caller didn't specify this heap id */