From: Rebecca Schultz Zavin <rebecca@android.com>
Date: Fri, 8 Jul 2011 00:07:56 +0000 (-0700)
Subject: gpu: ion: Validate handles passed via the kernel api
X-Git-Tag: firefly_0821_release~7613^2~547
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=c72866db6b303d3af1f579a0270bc88353dd8458;p=firefly-linux-kernel-4.4.55.git

gpu: ion: Validate handles passed via the kernel api

Before freeing or sharing handles, confirm that they
are valid in the provided client

Change-Id: I06ec599c0b277fcb5417325a12ecbf8b2d248a7b
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
---

diff --git a/drivers/gpu/ion/ion.c b/drivers/gpu/ion/ion.c
index 1c25940a1fd1..9cb5b25bb110 100644
--- a/drivers/gpu/ion/ion.c
+++ b/drivers/gpu/ion/ion.c
@@ -333,6 +333,18 @@ end:
 
 void ion_free(struct ion_client *client, struct ion_handle *handle)
 {
+	bool valid_handle;
+
+	BUG_ON(client != handle->client);
+
+	mutex_lock(&client->lock);
+	valid_handle = ion_handle_validate(client, handle);
+	mutex_unlock(&client->lock);
+
+	if (!valid_handle) {
+		WARN("%s: invalid handle passed to free.\n", __func__);
+		return;
+	}
 	ion_handle_put(handle);
 }
 
@@ -500,6 +512,16 @@ void ion_unmap_dma(struct ion_client *client, struct ion_handle *handle)
 struct ion_buffer *ion_share(struct ion_client *client,
 				 struct ion_handle *handle)
 {
+	bool valid_handle;
+
+	mutex_lock(&client->lock);
+	valid_handle = ion_handle_validate(client, handle);
+	mutex_unlock(&client->lock);
+	if (!valid_handle) {
+		WARN("%s: invalid handle passed to share.\n", __func__);
+		return ERR_PTR(-EINVAL);
+	}
+
 	/* don't not take an extra refernce here, the burden is on the caller
 	 * to make sure the buffer doesn't go away while it's passing it
 	 * to another client -- ion_free should not be called on this handle