dsp: add lock in ion free to avoid use after free (1b13d6dd) · Commits · e / devices / android_kernel_fairphone_FP4

dsp/msm_audio_ion.c

+16 −8

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2013-2020, The Linux Foundation. All rights reserved.
		*
		* Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/init.h>
		@@ -63,6 +65,7 @@ static void msm_audio_ion_add_allocation(
		mutex_unlock(&(msm_audio_ion_data->list_mutex));
		}

		/* This function is called with ion_data list mutex lock */
		static int msm_audio_dma_buf_map(struct dma_buf *dma_buf,
		dma_addr_t addr, size_t len)
		{
		@@ -151,7 +154,6 @@ static int msm_audio_dma_buf_unmap(struct dma_buf *dma_buf)
		* should be explicitly acquired to avoid race condition
		* on adding elements to the list.
		*/
		mutex_lock(&(msm_audio_ion_data.list_mutex));
		list_for_each_safe(ptr, next,
		&(msm_audio_ion_data.alloc_list)) {

		@@ -175,7 +177,6 @@ static int msm_audio_dma_buf_unmap(struct dma_buf *dma_buf)
		break;
		}
		}
		mutex_unlock(&(msm_audio_ion_data.list_mutex));

		if (!found) {
		dev_err(cb_dev,
		@@ -230,6 +231,7 @@ int msm_audio_ion_get_smmu_info(struct device **cb_dev,
		return 0;
		}

		/* This function is called with ion_data list mutex lock */
		static void msm_audio_ion_map_kernel(struct dma_buf dma_buf)
		{
		int rc = 0;
		@@ -278,7 +280,6 @@ static int msm_audio_ion_unmap_kernel(struct dma_buf *dma_buf)
		* TBD: remove the below section once new API
		* for unmapping kernel virtual address is available.
		*/
		mutex_lock(&(msm_audio_ion_data.list_mutex));
		list_for_each_entry(alloc_data, &(msm_audio_ion_data.alloc_list),
		list) {
		if (alloc_data->dma_buf == dma_buf) {
		@@ -286,7 +287,6 @@ static int msm_audio_ion_unmap_kernel(struct dma_buf *dma_buf)
		break;
		}
		}
		mutex_unlock(&(msm_audio_ion_data.list_mutex));

		if (!vaddr) {
		dev_err(cb_dev,
		@@ -309,7 +309,8 @@ static int msm_audio_ion_unmap_kernel(struct dma_buf *dma_buf)
		return rc;
		}

		static int msm_audio_ion_map_buf(struct dma_buf dma_buf, dma_addr_t paddr,
		/* This function is called with ion_data list mutex lock */
		static int msm_audio_ion_buf_map(struct dma_buf dma_buf, dma_addr_t paddr,
		size_t plen, void *vaddr)
		{
		int rc = 0;
		@@ -331,7 +332,9 @@ static int msm_audio_ion_map_buf(struct dma_buf dma_buf, dma_addr_t paddr,
		if (IS_ERR_OR_NULL(*vaddr)) {
		pr_err("%s: ION memory mapping for AUDIO failed\n", __func__);
		rc = -ENOMEM;
		mutex_lock(&(msm_audio_ion_data.list_mutex));
		msm_audio_dma_buf_unmap(dma_buf);
		mutex_unlock(&(msm_audio_ion_data.list_mutex));
		goto err;
		}

		@@ -390,7 +393,7 @@ int msm_audio_ion_alloc(struct dma_buf **dma_buf, size_t bufsz,
		goto err;
		}

		rc = msm_audio_ion_map_buf(*dma_buf, paddr, plen, vaddr);
		rc = msm_audio_ion_buf_map(*dma_buf, paddr, plen, vaddr);
		if (rc) {
		pr_err("%s: failed to map ION buf, rc = %d\n", __func__, rc);
		goto err;
		@@ -490,7 +493,7 @@ int msm_audio_ion_import(struct dma_buf **dma_buf, int fd,
		}
		}

		rc = msm_audio_ion_map_buf(*dma_buf, paddr, plen, vaddr);
		rc = msm_audio_ion_buf_map(*dma_buf, paddr, plen, vaddr);
		if (rc) {
		pr_err("%s: failed to map ION buf, rc = %d\n", __func__, rc);
		goto err;
		@@ -516,6 +519,7 @@ EXPORT_SYMBOL(msm_audio_ion_import);
		*
		* Returns 0 on success or error on failure
		*/
		/* This funtion is called with ion_data list mutex lock */
		int msm_audio_ion_free(struct dma_buf *dma_buf)
		{
		int ret = 0;
		@@ -525,11 +529,15 @@ int msm_audio_ion_free(struct dma_buf *dma_buf)
		return -EINVAL;
		}

		mutex_lock(&(msm_audio_ion_data.list_mutex));
		ret = msm_audio_ion_unmap_kernel(dma_buf);
		if (ret)
		if (ret) {
		mutex_unlock(&(msm_audio_ion_data.list_mutex));
		return ret;
		}

		msm_audio_dma_buf_unmap(dma_buf);
		mutex_unlock(&(msm_audio_ion_data.list_mutex));

		return 0;
		}