From f2b44c5c18564f604bae396783e26f7d05a333c6 Mon Sep 17 00:00:00 2001 From: Srinivasarao P Date: Mon, 29 Oct 2018 16:44:50 +0530 Subject: [PATCH] staging: android: ion: fix ION_IOC_IMPORT use-after-free The use-after-free issue can also occur with ION_IOC_IMPORT just like in the commit 2c155709e4ef2d86d0176aac82e44c048a7e0255 ("staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free"). This is due to reacquiring client->lock in pass_to_user(). Change-Id: Ib5f3297504763c341b3ce343ef18538ce2c9c7d5 Signed-off-by: Srinivasarao P --- drivers/staging/android/ion/ion.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 05fc6a7af8c2..9a0b73bc1379 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -453,16 +453,14 @@ static struct ion_handle *user_ion_handle_get_check_overflow( /* passes a kref to the user ref count. * We know we're holding a kref to the object before and * after this call, so no need to reverify handle. + * Caller must hold the client lock, except for ION_IOC_ALLOC. */ static struct ion_handle *pass_to_user(struct ion_handle *handle) { - struct ion_client *client = handle->client; struct ion_handle *ret; - mutex_lock(&client->lock); ret = user_ion_handle_get_check_overflow(handle); ion_handle_put_nolock(handle); - mutex_unlock(&client->lock); return ret; } @@ -1700,7 +1698,8 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { struct ion_handle *handle; - handle = ion_import_dma_buf(client, data.fd.fd); + mutex_lock(&client->lock); + handle = ion_import_dma_buf_nolock(client, data.fd.fd); if (IS_ERR(handle)) { ret = PTR_ERR(handle); } else { @@ -1710,6 +1709,7 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) else data.handle.handle = handle->id; } + mutex_unlock(&client->lock); break; } case ION_IOC_SYNC: