diff options
| author | Greg Hackmann <ghackmann@google.com> | 2016-04-20 16:33:18 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-09-09 16:56:27 -0700 |
| commit | 6cced823ba428dbf6913d6d5a5369c54b0fcbc8d (patch) | |
| tree | 3fd5fee885678aa9ca34528d1fca96edfe044621 /fs/jbd2/commit.c | |
| parent | 3dc7ca5e82cc56abc0463e35f1851cd8e2eed97a (diff) | |
video: adf: zero out mapping data on adf_buffer_map() failure
If the following call chain fails
adf_device_post_nocopy() ->
adf_buffer_map() ->
dma_buf_attach(); dma_buf_map_attachment()
then the attachment returned by dma_buf_attach() will get cleaned up
twice: first during the error-handling path inside adf_buffer_map(), and
again during the error-handling path inside adf_device_post_nocopy().
Fix this by zeroing out the mapping data inside adf_buffer_map()'s
error-handling path. When adf_device_post_nocopy() hands it back to
adf_buffer_mapping_cleanup(), it will deliberately skip over zeroed-out
data.
(The second adf_buffer_mapping_cleanup() call inside
adf_device_post_nocopy() is not a bug; it's intended to clean up after
any *other* buffers we handled as part of this request.)
CVE:CVE-2016-3811
Bug: 28025945
Bug: 28279077
Change-Id: I824d980b208da3a15d35f74970755c8f18500263
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit: 4436de7a92d037599e0d217f16f9c391b6ad866a
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Diffstat (limited to 'fs/jbd2/commit.c')
0 files changed, 0 insertions, 0 deletions