ion: invalidate the pool pointers after free

ion_system_heap_destroy_pools frees the pool, but
does not invalidate the pointer. This can result in
a double free if ion_system_heap_create_pools fails,
and then causes ion_system_heap_create to call into
ion_system_heap_destroy_pools again from the error
path. This can happen in ion_system_heap_create when
one of the secure pool creation fails.

Change-Id: Ic73ca78722aa5a575cc4dd7c1caa560b518094f2
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c
index 2ad4cc7a4785..a2ead280ac4e 100644
--- a/drivers/staging/android/ion/ion_system_heap.c
+++ b/drivers/staging/android/ion/ion_system_heap.c
@@ -2,7 +2,7 @@
  * drivers/staging/android/ion/ion_system_heap.c
  *
  * Copyright (C) 2011 Google, Inc.
- * Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018, The Linux Foundation. All rights reserved.
  *
  * This software is licensed under the terms of the GNU General Public
  * License version 2, as published by the Free Software Foundation, and
@@ -754,8 +754,10 @@ static void ion_system_heap_destroy_pools(struct ion_page_pool **pools)
 {
 	int i;
 	for (i = 0; i < num_orders; i++)
-		if (pools[i])
+		if (pools[i]) {
 			ion_page_pool_destroy(pools[i]);
+			pools[i] = NULL;
+		}
 }
 
 /**