ion: Do not 'put' ION handle until after its final use

pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.

Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.

Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/android/ion/ion-ioctl.c b/drivers/staging/android/ion/ion-ioctl.c
index d47e9b4171e28ae0fb0d6ea78173d77952824b4f..a27865b94416b23344cfefe2f3a5bb1f54ca6205 100644 (file)
--- a/drivers/staging/android/ion/ion-ioctl.c
+++ b/drivers/staging/android/ion/ion-ioctl.c
@@ -165,10 +165,9 @@ long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
                                     data.allocation.flags, true);
                if (IS_ERR(handle))
                        return PTR_ERR(handle);
-               pass_to_user(handle);
                data.allocation.handle = handle->id;
-
                cleanup_handle = handle;
+               pass_to_user(handle);
                break;
        }
        case ION_IOC_FREE:
@@ -212,11 +211,12 @@ long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
                if (IS_ERR(handle)) {
                        ret = PTR_ERR(handle);
                } else {
+                       data.handle.handle = handle->id;
                        handle = pass_to_user(handle);
-                       if (IS_ERR(handle))
+                       if (IS_ERR(handle)) {
                                ret = PTR_ERR(handle);
-                       else
-                               data.handle.handle = handle->id;
+                               data.handle.handle = 0;
+                       }
                }
                break;
        }