projects / firefly-linux-kernel-4.4.55.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b2ee33e)
gpu: ion: fix use-after-free in ion_heap_freelist_drain
authorMitchel Humpherys <mitchelh@codeaurora.org>
Tue, 6 Aug 2013 18:19:42 +0000 (11:19 -0700)
committerColin Cross <ccross@android.com>
Thu, 12 Dec 2013 23:27:06 +0000 (15:27 -0800)
The `buffer' variable is being used after being freed. Fix this.

Change-Id: Iea3471fa7dc7535bbf0620c1639fea2008d7cf19
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
drivers/staging/android/ion/ion_heap.c patch | blob | history

diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
index 5a93a0273faac048839d39724cf7a9de5339ac9c..e061b266330d82f18957958f4afa7d5f494614e6 100644 (file)
--- a/drivers/staging/android/ion/ion_heap.c
+++ b/drivers/staging/android/ion/ion_heap.c
@@ -200,9 +200,9 @@ size_t ion_heap_freelist_drain(struct ion_heap *heap, size_t size)
                if (total_drained >= size)
                        break;
                list_del(&buffer->list);
-               ion_buffer_destroy(buffer);
                heap->free_list_size -= buffer->size;
                total_drained += buffer->size;
+               ion_buffer_destroy(buffer);
        }
        rt_mutex_unlock(&heap->lock);
 
Unnamed repository; edit this file 'description' to name the repository.