Commit 31eb79db authored by Liam Mark's avatar Liam Mark Committed by Greg Kroah-Hartman

staging: android: ion: Support cpu access during dma_buf_detach

Often userspace doesn't know when the kernel will be calling dma_buf_detach
on the buffer.
If userpace starts its CPU access at the same time as the sg list is being
freed it could end up accessing the sg list after it has been freed.

Thread A				Thread B
- DMA_BUF_IOCTL_SYNC IOCT
 - ion_dma_buf_begin_cpu_access
  - list_for_each_entry
					- ion_dma_buf_detatch
					 - free_duped_table
   - dma_sync_sg_for_cpu

Fix this by getting the ion_buffer lock before freeing the sg table memory.

Fixes: 2a55e7b5 ("staging: android: ion: Call dma_map_sg for syncing and mapping")
Signed-off-by: default avatarLiam Mark <lmark@codeaurora.org>
Acked-by: default avatarLaura Abbott <labbott@redhat.com>
Acked-by: default avatarAndrew F. Davis <afd@ti.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 97715058
...@@ -248,10 +248,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf, ...@@ -248,10 +248,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf,
struct ion_dma_buf_attachment *a = attachment->priv; struct ion_dma_buf_attachment *a = attachment->priv;
struct ion_buffer *buffer = dmabuf->priv; struct ion_buffer *buffer = dmabuf->priv;
free_duped_table(a->table);
mutex_lock(&buffer->lock); mutex_lock(&buffer->lock);
list_del(&a->list); list_del(&a->list);
mutex_unlock(&buffer->lock); mutex_unlock(&buffer->lock);
free_duped_table(a->table);
kfree(a); kfree(a);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment