video: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000 (14:31 +0530)]
Fix possible use after free issue.

Bug 1814555
Bug 1884319

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1257999
(cherry picked from commit b1647da33cff0c498ca8439a722ea1962ecf6901 in rel-24)
Reviewed-on: http://git-master/r/1461184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

index 7e59d24..27db8f6 100644 (file)
@@ -309,24 +309,6 @@ int nvmap_ioctl_alloc_kind(struct file *filp, void __user *arg)
        return err;
 }
 
-int nvmap_create_fd(struct nvmap_client *client, struct nvmap_handle *h)
-{
-       int fd;
-
-       fd = __nvmap_dmabuf_fd(client, h->dmabuf, O_CLOEXEC);
-       BUG_ON(fd == 0);
-       if (fd < 0) {
-               pr_err("Out of file descriptors");
-               return fd;
-       }
-       /* __nvmap_dmabuf_fd() associates fd with dma_buf->file *.
-        * fd close drops one ref count on dmabuf->file *.
-        * to balance ref count, ref count dma_buf.
-        */
-       get_dma_buf(h->dmabuf);
-       return fd;
-}
-
 int nvmap_ioctl_create(struct file *filp, unsigned int cmd, void __user *arg)
 {
        struct nvmap_create_handle op;
@@ -354,7 +336,7 @@ int nvmap_ioctl_create(struct file *filp, unsigned int cmd, void __user *arg)
        if (IS_ERR(ref))
                return PTR_ERR(ref);
 
-       fd = nvmap_create_fd(client, ref->handle);
+       fd = nvmap_get_dmabuf_fd(client, ref->handle);
        if (fd < 0)
                err = fd;