Commit a15a4042 authored Aug 31, 2018 by Liam Mark

ion: Ensure ion_buffer fields are initialized



In the process_one_prefetch and process_one_shrink functions there are
local ion_buffer objects with fields which aren't initialized.

This can be a problem, for example if the private_flags
ION_PRIV_FLAG_SHRINKER_FREE flag is randomly set then this can lead to
memory which is not HYP assigned to the HLOS vmid being freed back to the
buddy allocator.

-002|__free_pages()
-003|ion_page_pool_free_pages()
-004|ion_page_pool_free_immediate()
-005|free_buffer_page()
-006|split_page_from_secure_pool()
-007|alloc_from_pool_preferred()
-007|ion_system_heap_allocate()
-008|process_one_shrink()
-008|ion_system_secure_heap_prefetch_work()

To fix this issue initialize all ion_buffer fields to zero for these local
variables.

Change-Id: I6bff85e9bf1e975d393d0ae6cef2f3931c8db217
Signed-off-by: Liam Mark <lmark@codeaurora.org>

parent d8f81fe4

drivers/staging/android/ion/ion_system_secure_heap.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -109,8 +109,8 @@ static void process_one_prefetch(struct ion_heap *sys_heap,
		int ret;
		int vmid;

		memset(&buffer, 0, sizeof(struct ion_buffer));
		buffer.heap = sys_heap;
		buffer.flags = 0;

		ret = sys_heap->ops->allocate(sys_heap, &buffer, info->size,
		buffer.flags);
		@@ -167,6 +167,7 @@ static void process_one_shrink(struct ion_heap *sys_heap,
		size_t pool_size, size;
		int ret;

		memset(&buffer, 0, sizeof(struct ion_buffer));
		buffer.heap = sys_heap;
		buffer.flags = info->vmid;