From: Robert Morell <rmorell@nvidia.com>
Date: Tue, 7 Dec 2010 01:32:01 +0000 (-0800)
Subject: video: tegra: nvmap: Clear handle->owner on release
X-Git-Tag: firefly_0821_release~9833^2~92^2
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=0e3fe9b3944d3dad3b2268d4acdbd77fd727dcd5;p=firefly-linux-kernel-4.4.55.git

video: tegra: nvmap: Clear handle->owner on release

A struct nvmap_handle may be shared by multiple clients.  If the
original client (the handle "owner") is destroyed, but the handle is
still referenced by other clients, h->owner points to freed memory.  To
prevent this, clear h->owner when the owner frees its reference to that
struct nvmap_handle.

Change-Id: I54722091568ce2058f5988e5f6e00e68605a8100
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
---

diff --git a/drivers/video/tegra/nvmap/nvmap_handle.c b/drivers/video/tegra/nvmap/nvmap_handle.c
index 4455c8d1cce1..44f55b3f59ba 100644
--- a/drivers/video/tegra/nvmap/nvmap_handle.c
+++ b/drivers/video/tegra/nvmap/nvmap_handle.c
@@ -379,6 +379,9 @@ void nvmap_free_handle_id(struct nvmap_client *client, unsigned long id)
 	while (pins--)
 		nvmap_unpin_handles(client, &ref->handle, 1);
 
+	if (h->owner == client)
+		h->owner = NULL;
+
 	kfree(ref);
 
 out: