gpu: ion: fix use-after-free in ion_heap_freelist_drain

The `buffer' variable is being used after being freed. Fix this.

Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
index deaab7c..0a5cea0 100644 (file)
--- a/drivers/staging/android/ion/ion_heap.c
+++ b/drivers/staging/android/ion/ion_heap.c
@@ -200,9 +200,9 @@ size_t ion_heap_freelist_drain(struct ion_heap *heap, size_t size)
                if (total_drained >= size)
                        break;
                list_del(&buffer->list);
-               ion_buffer_destroy(buffer);
                heap->free_list_size -= buffer->size;
                total_drained += buffer->size;
+               ion_buffer_destroy(buffer);
        }
        rt_mutex_unlock(&heap->lock);