staging/ion: free ION buffer after gem object unreference

It's bug that ION buffer is accessed to unreference gem object after ION
buffer is freed. It can cause memory corruption.

Change-Id: Idbfb5f66e8223b408d529d88b5af5079daac7018
Fixes: 03a9b03a2ab2 ("staging/ion: decrease gem reference count in release of dma-buf")
Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index c06101c..3d00636 100644 (file)
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -1226,7 +1226,6 @@ static int ion_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma)
 static void ion_dma_buf_release(struct dma_buf *dmabuf)
 {
        struct ion_buffer *buffer = dmabuf->priv;
-       ion_buffer_put(buffer);
 
 #ifdef CONFIG_DRM_SPRD
        if (buffer->obj) {
@@ -1234,6 +1233,8 @@ static void ion_dma_buf_release(struct dma_buf *dmabuf)
                buffer->obj = NULL;
        }
 #endif
+
+       ion_buffer_put(buffer);
 }
 
 static void *ion_dma_buf_kmap(struct dma_buf *dmabuf, unsigned long offset)