2017-10-29 01:48:53 -04:00
|
|
|
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
|
2017-10-29 22:14:37 -04:00
|
|
|
index cc1b3bf..48b6b86 100644
|
2017-10-29 01:48:53 -04:00
|
|
|
--- a/drivers/staging/android/ion/ion.c
|
|
|
|
|
+++ b/drivers/staging/android/ion/ion.c
|
|
|
|
|
@@ -16,6 +16,8 @@
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
+#include <linux/atomic.h>
|
|
|
|
|
+#include <linux/err.h>
|
|
|
|
|
#include <linux/file.h>
|
|
|
|
|
#include <linux/freezer.h>
|
|
|
|
|
#include <linux/fs.h>
|
2017-10-29 22:14:37 -04:00
|
|
|
@@ -400,6 +402,15 @@
|
2017-10-29 01:48:53 -04:00
|
|
|
kref_get(&handle->ref);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+/* Must hold the client lock */
|
|
|
|
|
+static struct ion_handle* ion_handle_get_check_overflow(struct ion_handle *handle)
|
|
|
|
|
+{
|
|
|
|
|
+ if (atomic_read(&handle->ref.refcount) + 1 == 0)
|
|
|
|
|
+ return ERR_PTR(-EOVERFLOW);
|
|
|
|
|
+ ion_handle_get(handle);
|
|
|
|
|
+ return handle;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
int ion_handle_put_nolock(struct ion_handle *handle)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
2017-10-29 22:14:37 -04:00
|
|
|
@@ -445,9 +456,9 @@
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
|
handle = idr_find(&client->idr, id);
|
|
|
|
|
if (handle)
|
|
|
|
|
- ion_handle_get(handle);
|
|
|
|
|
+ return ion_handle_get_check_overflow(handle);
|
|
|
|
|
|
|
|
|
|
- return handle ? handle : ERR_PTR(-EINVAL);
|
|
|
|
|
+ return ERR_PTR(-EINVAL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
|
2017-10-29 22:14:37 -04:00
|
|
|
@@ -1339,7 +1350,7 @@
|
2017-10-29 01:48:53 -04:00
|
|
|
/* if a handle exists for this buffer just take a reference to it */
|
|
|
|
|
handle = ion_handle_lookup(client, buffer);
|
|
|
|
|
if (!IS_ERR(handle)) {
|
|
|
|
|
- ion_handle_get(handle);
|
|
|
|
|
+ handle = ion_handle_get_check_overflow(handle);
|
|
|
|
|
mutex_unlock(&client->lock);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
