Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 115bf9df authored by Daniel Rosenberg's avatar Daniel Rosenberg Committed by Gerrit - the friendly Code Review server
Browse files

ion: Fix use after free during ION_IOC_ALLOC 



If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.

This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.

Bug: 31568617
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: default avatarDaniel Rosenberg <drosen@google.com>
Git-repo: https://android.googlesource.com/kernel/msm/


Git-commit: 20a5411d0115b16826f3d327b6abb0192c8a2001
Signed-off-by: default avatarDennis Cagle <d-cagle@codeaurora.org>
parent c9104c96
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment