From: Mitchel Humpherys Date: Sat, 14 Dec 2013 03:26:17 +0000 (-0800) Subject: gpu: ion: fix use-after-free in ion_heap_freelist_drain X-Git-Tag: v3.14-rc1~13^2~388 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f020b4430bf29a25229fd9975662baefb02facda;p=profile%2Fivi%2Fkernel-x86-ivi.git gpu: ion: fix use-after-free in ion_heap_freelist_drain The `buffer' variable is being used after being freed. Fix this. Signed-off-by: Mitchel Humpherys Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c index deaab7c..0a5cea0 100644 --- a/drivers/staging/android/ion/ion_heap.c +++ b/drivers/staging/android/ion/ion_heap.c @@ -200,9 +200,9 @@ size_t ion_heap_freelist_drain(struct ion_heap *heap, size_t size) if (total_drained >= size) break; list_del(&buffer->list); - ion_buffer_destroy(buffer); heap->free_list_size -= buffer->size; total_drained += buffer->size; + ion_buffer_destroy(buffer); } rt_mutex_unlock(&heap->lock);