Re: [PATCH v2 4.9 1/3] ion: Fix use after free during ION_IOC_ALLOC

27 Jan 2022

      On Tue, Jan 25, 2022 at 02:18:06PM +0000, Lee Jones wrote:
...
From: Daniel Rosenberg drosen@google.com
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC
on the just allocated id, and the copy_to_user fails, the cleanup
code will attempt to free an already freed handle.
This adds a wrapper for ion_alloc that adds an ion_handle_get to
avoid this.
Signed-off-by: Daniel Rosenberg drosen@google.com
Signed-off-by: Dennis Cagle d-cagle@codeaurora.org
Signed-off-by: Patrick Daly pdaly@codeaurora.org
Signed-off-by: Lee Jones lee.jones@linaro.org

NB: These are Android patches that were not sent to Mainline.
Only v4.9 is affected by these issues due to refactoring.
All now queued up, thanks.
greg k-h

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [PATCH v2 4.9 1/3] ion: Fix use after free during ION_IOC_ALLOC