There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl() function.
A handle has ref count of 1 and two tasks on different cpus calls ION_IOC_FREE
simultaneously.
cpu 0 cpu 1
--
shawn.lin@rock-
> chips.com; de...@driverdev.osuosl.org; linux-ker...@vger.kernel.org;
> eunt...@gmail.com
> Subject: Re: [PATCH v3] staging/android/ion : fix a race condition in the
> ion driver
>
> On 02/23/2016 08:38 PM, EunTaik Lee wrote:
> > There is a use-after-free
On 02/23/2016 08:38 PM, EunTaik Lee wrote:
> There is a use-after-free problem in the ion driver.
> This is caused by a race condition in the ion_ioctl()
> function.
>
> A handle has ref count of 1 and two tasks on different
> cpus calls ION_IOC_FREE simultaneously.
>
> cpu 0
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
---