Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c29ede69 authored by Vinayak Menon's avatar Vinayak Menon Committed by Gerrit - the friendly Code Review server
Browse files

ion: invalidate the pool pointers after free 



ion_system_heap_destroy_pools frees the pool, but
does not invalidate the pointer. This can result in
a double free if ion_system_heap_create_pools fails,
and then causes ion_system_heap_create to call into
ion_system_heap_destroy_pools again from the error
path. This can happen in ion_system_heap_create when
one of the secure pool creation fails.

Change-Id: Ic73ca78722aa5a575cc4dd7c1caa560b518094f2
Signed-off-by: default avatarVinayak Menon <vinmenon@codeaurora.org>
parent 08d73209

drivers/staging/android/ion/ion_system_heap.c

+4 −2
Original line number Original line Diff line number Diff line
@@ -2,7 +2,7 @@ 
 * drivers/staging/android/ion/ion_system_heap.c

 * drivers/staging/android/ion/ion_system_heap.c

 *

 *

 * Copyright (C) 2011 Google, Inc.

 * Copyright (C) 2011 Google, Inc.

 * Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.

 * Copyright (c) 2011-2018, The Linux Foundation. All rights reserved.

 *

 *

 * This software is licensed under the terms of the GNU General Public

 * This software is licensed under the terms of the GNU General Public

 * License version 2, as published by the Free Software Foundation, and

 * License version 2, as published by the Free Software Foundation, and
@@ -587,8 +587,10 @@ static void ion_system_heap_destroy_pools(struct ion_page_pool **pools) 
	int i;

	int i;





	for (i = 0; i < NUM_ORDERS; i++)

	for (i = 0; i < NUM_ORDERS; i++)

		if (pools[i])

		if (pools[i]) {

			ion_page_pool_destroy(pools[i]);

			ion_page_pool_destroy(pools[i]);

			pools[i] = NULL;

		}

}

}





/**

/**