From c72866db6b303d3af1f579a0270bc88353dd8458 Mon Sep 17 00:00:00 2001 From: Rebecca Schultz Zavin Date: Thu, 7 Jul 2011 17:07:56 -0700 Subject: [PATCH 356/696] gpu: ion: Validate handles passed via the kernel api Before freeing or sharing handles, confirm that they are valid in the provided client Change-Id: I06ec599c0b277fcb5417325a12ecbf8b2d248a7b Signed-off-by: Rebecca Schultz Zavin --- drivers/gpu/ion/ion.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) diff --git a/drivers/gpu/ion/ion.c b/drivers/gpu/ion/ion.c index 1c25940..9cb5b25 100644 --- a/drivers/gpu/ion/ion.c +++ b/drivers/gpu/ion/ion.c @@ -333,6 +333,18 @@ end: void ion_free(struct ion_client *client, struct ion_handle *handle) { + bool valid_handle; + + BUG_ON(client != handle->client); + + mutex_lock(&client->lock); + valid_handle = ion_handle_validate(client, handle); + mutex_unlock(&client->lock); + + if (!valid_handle) { + WARN("%s: invalid handle passed to free.\n", __func__); + return; + } ion_handle_put(handle); } @@ -500,6 +512,16 @@ void ion_unmap_dma(struct ion_client *client, struct ion_handle *handle) struct ion_buffer *ion_share(struct ion_client *client, struct ion_handle *handle) { + bool valid_handle; + + mutex_lock(&client->lock); + valid_handle = ion_handle_validate(client, handle); + mutex_unlock(&client->lock); + if (!valid_handle) { + WARN("%s: invalid handle passed to share.\n", __func__); + return ERR_PTR(-EINVAL); + } + /* don't not take an extra refernce here, the burden is on the caller * to make sure the buffer doesn't go away while it's passing it * to another client -- ion_free should not be called on this handle -- 1.7.1