diff options
author | Srinivasarao P <spathi@codeaurora.org> | 2018-10-29 16:44:50 +0530 |
---|---|---|
committer | Srinivasarao P <spathi@codeaurora.org> | 2018-11-12 12:12:49 +0530 |
commit | f2b44c5c18564f604bae396783e26f7d05a333c6 (patch) | |
tree | a3256e5ac58e2cf315c6eb0faabcdfbcc8980eb4 | |
parent | f1587d8660239a4371a73d10a2c56834d7daf6cc (diff) |
staging: android: ion: fix ION_IOC_IMPORT use-after-free
The use-after-free issue can also occur with ION_IOC_IMPORT
just like in the commit 2c155709e4ef2d86d0176aac82e44c048a7e0255
("staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free").
This is due to reacquiring client->lock in pass_to_user().
Change-Id: Ib5f3297504763c341b3ce343ef18538ce2c9c7d5
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
-rw-r--r-- | drivers/staging/android/ion/ion.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 05fc6a7af8c2..9a0b73bc1379 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -453,16 +453,14 @@ static struct ion_handle *user_ion_handle_get_check_overflow( /* passes a kref to the user ref count. * We know we're holding a kref to the object before and * after this call, so no need to reverify handle. + * Caller must hold the client lock, except for ION_IOC_ALLOC. */ static struct ion_handle *pass_to_user(struct ion_handle *handle) { - struct ion_client *client = handle->client; struct ion_handle *ret; - mutex_lock(&client->lock); ret = user_ion_handle_get_check_overflow(handle); ion_handle_put_nolock(handle); - mutex_unlock(&client->lock); return ret; } @@ -1700,7 +1698,8 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { struct ion_handle *handle; - handle = ion_import_dma_buf(client, data.fd.fd); + mutex_lock(&client->lock); + handle = ion_import_dma_buf_nolock(client, data.fd.fd); if (IS_ERR(handle)) { ret = PTR_ERR(handle); } else { @@ -1710,6 +1709,7 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) else data.handle.handle = handle->id; } + mutex_unlock(&client->lock); break; } case ION_IOC_SYNC: |