rtime.felk.cvut.cz Git - sojka/nv-tegra/linux-3.10.git/commit

author	Maneet Singh <mmaneetsingh@nvidia.com>
	Fri, 12 Sep 2014 03:12:33 +0000 (20:12 -0700)
committer	Winnie Hsu <whsu@nvidia.com>
	Fri, 26 Sep 2014 17:24:59 +0000 (10:24 -0700)
commit	6a3fc6f05ccfb0c18751efd3a3aae783ba82607a
tree	144d1c9205f772489fc2cf0cec8739556cdd4b17	tree \| snapshot
parent	729cdd9d85f7fe4ab63a20ec18526e3f1c550e74	commit \| diff

video: tegra: nvmap: fix use-after-free race condition

Incremented nvmap_handle ref count in utility function
nvmap_get_id_from_dmabuf_fd() before the function release reference
to dma buffer. This is required to avoid race conditions in nvmap
code where nvmap_handle returned by this function could be freed
concurrently while the caller is still using it.

As a side effect of above change, every caller of this utility
function must decrement nvmap_handle ref count after using the
returned nvmap_handle.

Bug 1553082

Change-Id: Iffc2e5819f8b493d5ed95a9d0c422ccd52438965
Signed-off-by: Maneet Singh <mmaneetsingh@nvidia.com>
Reviewed-on: http://git-master/r/498135
(cherry picked from commit afddea745cc4f4a824be501ecbbb50f55e7e6f04)
Reviewed-on: http://git-master/r/538986
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

drivers/video/tegra/nvmap/nvmap_dmabuf.c		diff \| blob \| history
drivers/video/tegra/nvmap/nvmap_handle.c		diff \| blob \| history
drivers/video/tegra/nvmap/nvmap_ioctl.c		diff \| blob \| history