Skip to content
Snippets Groups Projects
Commit 2e9efae7 authored by Daniel Rosenberg's avatar Daniel Rosenberg Committed by Ben Fennema
Browse files

ion: Fix use after free during ION_IOC_ALLOC 


If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.

This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.

Bug: 31568617
Bug: 32987001
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: default avatarDaniel Rosenberg <drosen@google.com>
parent 0682eaef
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment