On Mon, Jan 24, 2022 at 04:12:41PM +0000, Lee Jones wrote:
From: Daniel Rosenberg drosen@google.com
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC on the just allocated id, and the copy_to_user fails, the cleanup code will attempt to free an already freed handle.
This adds a wrapper for ion_alloc that adds an ion_handle_get to avoid this.
Signed-off-by: Daniel Rosenberg drosen@google.com Signed-off-by: Dennis Cagle d-cagle@codeaurora.org Signed-off-by: Patrick Daly pdaly@codeaurora.org Signed-off-by: Lee Jones lee.jones@linaro.org
drivers/staging/android/ion/ion-ioctl.c | 14 +++++++++----- drivers/staging/android/ion/ion.c | 15 ++++++++++++--- drivers/staging/android/ion/ion.h | 4 ++++ 3 files changed, 25 insertions(+), 8 deletions(-)
What is the git commit id of this in Linus's tree (same for the other 2)?
And why just 4.9? What about 4.14 and newer kernels?
thanks,
greg k-h