ion: invalidate the pool pointers after free

ion_system_heap_destroy_pools frees the pool, but does not invalidate the pointer. This can result in a double free if ion_system_heap_create_pools fails, and then causes ion_system_heap_create to call into ion_system_heap_destroy_pools again from the error path. This can happen in ion_system_heap_create when one of the secure pool creation fails. Bug: 70638103 Change-Id: Ic73ca78722aa5a575cc4dd7c1caa560b518094f2 Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org> Signed-off-by: Siqi Lin <siqilin@google.com>
2018-06-13 20:59:29 +05:30 · 2018-06-13 20:59:29 +05:30 · ec91320159
parent c60c7d6178
commit ec91320159
1 changed files with 4 additions and 2 deletions
--- a/drivers/staging/android/ion/ion_system_heap.c
+++ b/drivers/staging/android/ion/ion_system_heap.c
@ -2,7 +2,7 @@
 * drivers/gpu/ion/ion_system_heap.c
 *
 * Copyright (C) 2011 Google, Inc.
- * Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018, The Linux Foundation. All rights reserved.
 *
 * This software is licensed under the terms of the GNU General Public
 * License version 2, as published by the Free Software Foundation, and
@ -474,8 +474,10 @@ static void ion_system_heap_destroy_pools(struct ion_page_pool **pools)
 {
 	int i;
 	for (i = 0; i < num_orders; i++)
-		if (pools[i])
+		if (pools[i]) {
 			ion_page_pool_destroy(pools[i]);
+			pools[i] = NULL;
+		}
 }

 /**