ion: hold reference to handle after ion_uhandle_get
commit 1262ab1846cf76f7549c66ef709120dbfbe6d49f (ion: replace userspace handle cookies with idr) broke the locking in ion. The ION_IOC_FREE and ION_IOC_MAP ioctls were relying on ion_handle_validate to detect the case where a call raced with another ION_IOC_FREE which may have freed the struct ion_handle. Rename ion_uhandle_get to ion_handle_get_by_id, and have it take the client lock and return with an extra reference to the handle. Make each caller put its reference once it is done with the handle. Also modify users of ion_handle_validate to continue to hold the client lock after calling ion_handle_validate until they are done with the handle, and warn if ion_handle_validate is called without the client lock held. Change-Id: I56da5624fca3bed4ee24806b6ec39de903543341 Signed-off-by:Colin Cross <ccross@android.com> Git-commit: 33a57aa073dac709bcdcba23bc4e2e7fcc6330f6 Git-repo: https://android.googlesource.com/kernel/common [mitchelh@codeaurora.org: minor merge conflicts due to some missing casts since we haven't brought in the change that makes ion_user_handle_t an int.] Signed-off-by:
Loading
Please register or sign in to comment