Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

gpu: ion: fix use-after-free in ion_heap_freelist_drain

The `buffer' variable is being used after being freed. Fix this.

Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mitchel Humpherys 11 years ago
parent
db866e3ded
commit
f020b4430b
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      drivers/staging/android/ion/ion_heap.c

+ 1 - 1
drivers/staging/android/ion/ion_heap.c
View File 

@@ -200,9 +200,9 @@ size_t ion_heap_freelist_drain(struct ion_heap *heap, size_t size)
 
 		if (total_drained >= size)
 
 			break;
 
 		list_del(&buffer->list);
 
-		ion_buffer_destroy(buffer);
 
 		heap->free_list_size -= buffer->size;
 
 		total_drained += buffer->size;
 
+		ion_buffer_destroy(buffer);
 
 	}
 
 	rt_mutex_unlock(&heap->lock);