Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7da415f4 authored Sep 10, 2015 by Neeti Desai Committed by Rohit Vaswani Oct 01, 2015

msm: ion: Fix NULL pointer dereference in error path



If the hypervisor fails to assign the correct vmids to the
memory allocated, we should free the allocated memory. However
the free path depends on certain parameters of the ion_buffer
structure which have not yet been populated.

Update the function definition to accept the scatter gather list
instead of the ion buffer, since we are zero'ing the list
and not the buffer.

Change-Id: I68bef3af6c1b7e8092fbc0e878d3c825580f438e
Signed-off-by: Neeti Desai <neetid@codeaurora.org>

parent f5d3db32

drivers/staging/android/ion/ion_priv.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -261,7 +261,7 @@ int ion_heap_pages_zero(struct page *page, size_t size, pgprot_t pgprot);

		int msm_ion_heap_high_order_page_zero(struct page *page, int order);
		struct ion_heap *get_ion_heap(int heap_id);
		int msm_ion_heap_buffer_zero(struct ion_buffer *buffer);
		int msm_ion_heap_sg_table_zero(struct sg_table *, size_t size);
		int msm_ion_heap_pages_zero(struct page **pages, int num_pages);
		int msm_ion_heap_alloc_pages_mem(struct pages_mem *pages_mem);
		void msm_ion_heap_free_pages_mem(struct pages_mem *pages_mem);

drivers/staging/android/ion/ion_system_heap.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -333,14 +333,14 @@ void ion_system_heap_free(struct ion_buffer *buffer)
		struct ion_system_heap *sys_heap = container_of(heap,
		struct ion_system_heap,
		heap);
		struct sg_table *table = buffer->sg_table;
		struct sg_table *table = buffer->priv_virt;
		struct scatterlist *sg;
		LIST_HEAD(pages);
		int i;

		if (!(buffer->private_flags & ION_PRIV_FLAG_SHRINKER_FREE) &&
		!(buffer->flags & ION_FLAG_POOL_FORCE_ALLOC))
		msm_ion_heap_buffer_zero(buffer);
		msm_ion_heap_sg_table_zero(table, buffer->size);

		for_each_sg(table->sgl, sg, table->nents, i)
		free_buffer_page(sys_heap, buffer, sg_page(sg),

drivers/staging/android/ion/ion_system_secure_heap.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -125,6 +125,13 @@ static int ion_system_secure_heap_allocate(struct ion_heap *heap,
		return ret;

		err:
		/*
		* the buffer->size field is populated in the caller of this function
		* and hence uninitialized when ops->free is called. Populating the
		* field here to handle the error condition correctly.
		*/
		buffer->size = size;
		buffer->heap = secure_heap->sys_heap;
		secure_heap->sys_heap->ops->free(buffer);
		return ret;
		}

drivers/staging/android/ion/msm/msm_ion.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -805,14 +805,13 @@ int msm_ion_heap_high_order_page_zero(struct page *page, int order)
		return ret;
		}

		int msm_ion_heap_buffer_zero(struct ion_buffer *buffer)
		int msm_ion_heap_sg_table_zero(struct sg_table *table, size_t size)
		{
		struct sg_table *table = buffer->sg_table;
		struct scatterlist *sg;
		int i, j, ret = 0, npages = 0;
		struct pages_mem pages_mem;

		pages_mem.size = PAGE_ALIGN(buffer->size);
		pages_mem.size = PAGE_ALIGN(size);

		if (msm_ion_heap_alloc_pages_mem(&pages_mem))
		return -ENOMEM;