video: tegra: nvmap: Clear handle->owner on release

A struct nvmap_handle may be shared by multiple clients.  If the
original client (the handle "owner") is destroyed, but the handle is
still referenced by other clients, h->owner points to freed memory.  To
prevent this, clear h->owner when the owner frees its reference to that
struct nvmap_handle.

Change-Id: I54722091568ce2058f5988e5f6e00e68605a8100
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>

diff --git a/drivers/video/tegra/nvmap/nvmap_handle.c b/drivers/video/tegra/nvmap/nvmap_handle.c
index 4455c8d1cce10c590e06b1bf2a070b2141b6b8e7..44f55b3f59baa89945e19ac358d4636f5e49321e 100644 (file)
--- a/drivers/video/tegra/nvmap/nvmap_handle.c
+++ b/drivers/video/tegra/nvmap/nvmap_handle.c
@@ -379,6 +379,9 @@ void nvmap_free_handle_id(struct nvmap_client *client, unsigned long id)
        while (pins--)
                nvmap_unpin_handles(client, &ref->handle, 1);
 
+       if (h->owner == client)
+               h->owner = NULL;
+
        kfree(ref);
 
 out: