video: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000 (14:31 +0530)]
Fix possible use after free issue.

Bug 1814555

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1257999
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

index 30da683..887acdb 100644 (file)
@@ -334,24 +334,6 @@ int nvmap_ioctl_vpr_floor_size(struct file *filp, void __user *arg)
        return err;
 }
 
-static int nvmap_create_fd(struct nvmap_client *client, struct nvmap_handle *h)
-{
-       int fd;
-
-       fd = __nvmap_dmabuf_fd(client, h->dmabuf, O_CLOEXEC);
-       BUG_ON(fd == 0);
-       if (fd < 0) {
-               pr_err("Out of file descriptors");
-               return fd;
-       }
-       /* __nvmap_dmabuf_fd() associates fd with dma_buf->file *.
-        * fd close drops one ref count on dmabuf->file *.
-        * to balance ref count, ref count dma_buf.
-        */
-       get_dma_buf(h->dmabuf);
-       return fd;
-}
-
 int nvmap_ioctl_create(struct file *filp, unsigned int cmd, void __user *arg)
 {
        struct nvmap_create_handle op;
@@ -379,7 +361,7 @@ int nvmap_ioctl_create(struct file *filp, unsigned int cmd, void __user *arg)
        if (IS_ERR(ref))
                return PTR_ERR(ref);
 
-       fd = nvmap_create_fd(client, ref->handle);
+       fd = nvmap_get_dmabuf_fd(client, ref->handle);
        if (fd < 0)
                err = fd;
 
@@ -798,7 +780,7 @@ int nvmap_ioctl_create_from_ivc(struct file *filp, void __user *arg)
        else
                return PTR_ERR(ref);
 
-       fd = nvmap_create_fd(client, ref->handle);
+       fd = nvmap_get_dmabuf_fd(client, ref->handle);
        if (fd < 0)
                err = fd;