From 91abd955d8535c01fd39487b1c066c3758668dee Mon Sep 17 00:00:00 2001
From: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Date: Thu, 2 Mar 2017 10:15:14 +0900
Subject: [PATCH] staging/ion: free ION buffer after gem object unreference

It's bug that ION buffer is accessed to unreference gem object after ION
buffer is freed. It can cause memory corruption.

Change-Id: Idbfb5f66e8223b408d529d88b5af5079daac7018
Fixes: 03a9b03a2ab2 ("staging/ion: decrease gem reference count in release of dma-buf")
Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
---
 drivers/staging/android/ion/ion.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index c06101c..3d00636 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -1226,7 +1226,6 @@ static int ion_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma)
 static void ion_dma_buf_release(struct dma_buf *dmabuf)
 {
 	struct ion_buffer *buffer = dmabuf->priv;
-	ion_buffer_put(buffer);
 
 #ifdef CONFIG_DRM_SPRD
 	if (buffer->obj) {
@@ -1234,6 +1233,8 @@ static void ion_dma_buf_release(struct dma_buf *dmabuf)
 		buffer->obj = NULL;
 	}
 #endif
+
+	ion_buffer_put(buffer);
 }
 
 static void *ion_dma_buf_kmap(struct dma_buf *dmabuf, unsigned long offset)
-- 
2.7.4