Re: [PATCH v2] staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free

On 09/04/2018 09:33 AM, Greg Hackmann wrote: The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several times while operating on one of the client's ion_handles. This creates windows where userspace can call ION_IOC_FREE on the same client with the same handle, and effectively make

Re: [PATCH v2] staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free

On 09/04/2018 09:33 AM, Greg Hackmann wrote: The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several times while operating on one of the client's ion_handles. This creates windows where userspace can call ION_IOC_FREE on the same client with the same handle, and effectively make

[PATCH v2] staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several times while operating on one of the client's ion_handles. This creates windows where userspace can call ION_IOC_FREE on the same client with the same handle, and effectively make the kernel drop its own reference. For example:

[PATCH v2] staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several times while operating on one of the client's ion_handles. This creates windows where userspace can call ION_IOC_FREE on the same client with the same handle, and effectively make the kernel drop its own reference. For example: