staging: android: ion: fix ION_IOC_IMPORT use-after-free

The use-after-free issue can also occur with ION_IOC_IMPORT
just like in the commit 2c155709e4ef2d86d0176aac82e44c048a7e0255
("staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free").
This is due to reacquiring client->lock in pass_to_user().

Change-Id: Ib5f3297504763c341b3ce343ef18538ce2c9c7d5
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

1 files changed, 4 insertions, 4 deletions

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 05fc6a7af8c2..9a0b73bc1379 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -453,16 +453,14 @@ static struct ion_handle *user_ion_handle_get_check_overflow(
 /* passes a kref to the user ref count.
  * We know we're holding a kref to the object before and
  * after this call, so no need to reverify handle.
+ * Caller must hold the client lock, except for ION_IOC_ALLOC.
  */
 static struct ion_handle *pass_to_user(struct ion_handle *handle)
 {
-	struct ion_client *client = handle->client;
 	struct ion_handle *ret;
 
-	mutex_lock(&client->lock);
 	ret = user_ion_handle_get_check_overflow(handle);
 	ion_handle_put_nolock(handle);
-	mutex_unlock(&client->lock);
 	return ret;
 }
 
@@ -1700,7 +1698,8 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 	{
 		struct ion_handle *handle;
 
-		handle = ion_import_dma_buf(client, data.fd.fd);
+		mutex_lock(&client->lock);
+		handle = ion_import_dma_buf_nolock(client, data.fd.fd);
 		if (IS_ERR(handle)) {
 			ret = PTR_ERR(handle);
 		} else {
@@ -1710,6 +1709,7 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 			else
 				data.handle.handle = handle->id;
 		}
+		mutex_unlock(&client->lock);
 		break;
 	}
 	case ION_IOC_SYNC: