On Tue, Jan 25, 2022 at 09:21:24AM +0000, Lee Jones wrote:
On Mon, 24 Jan 2022, Greg KH wrote:
On Mon, Jan 24, 2022 at 04:12:41PM +0000, Lee Jones wrote:
From: Daniel Rosenberg drosen@google.com
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC on the just allocated id, and the copy_to_user fails, the cleanup code will attempt to free an already freed handle.
This adds a wrapper for ion_alloc that adds an ion_handle_get to avoid this.
Signed-off-by: Daniel Rosenberg drosen@google.com Signed-off-by: Dennis Cagle d-cagle@codeaurora.org Signed-off-by: Patrick Daly pdaly@codeaurora.org Signed-off-by: Lee Jones lee.jones@linaro.org
drivers/staging/android/ion/ion-ioctl.c | 14 +++++++++----- drivers/staging/android/ion/ion.c | 15 ++++++++++++--- drivers/staging/android/ion/ion.h | 4 ++++ 3 files changed, 25 insertions(+), 8 deletions(-)
What is the git commit id of this in Linus's tree (same for the other 2)?
They are not in Linus' tree.
These fixes only made it into Android for some reason.
And why just 4.9? What about 4.14 and newer kernels?
The troublesome code was refactored before v4.14.
Then that needs to be said here in the changelog text please.
thanks,
greg k-h