Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b4968ee8 authored by Amir Samuelov's avatar Amir Samuelov
Browse files

spcom: use mutex on spcom_unlock_ion_buf() 



Only the channel owner app can lock/unlock a channel ion buf.
However, if the app share the ION buf FD with its child tasks,
they might wrongly free the same ion buf twice.
The ion driver panic if a non-valid ION buff handle is provided.

Change-Id: Ia8166df5ea314949090f7e94e90eff3a3ed78b19
Signed-off-by: default avatarAmir Samuelov <amirs@codeaurora.org>
parent 6cf6835d

drivers/soc/qcom/spcom.c

+12 −0
Original line number Diff line number Diff line
@@ -1723,12 +1723,16 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch, 


	pr_debug("ion handle ok.\n");



	/* ION buf lock doesn't involve any rx/tx data to SP. */

	mutex_lock(&ch->lock);



	/* Check if this ION buffer is already locked */

	for (i = 0 ; i < ARRAY_SIZE(ch->ion_handle_table) ; i++) {

		if (ch->ion_handle_table[i] == ion_handle) {

			pr_err("fd [%d] ion buf is already locked.\n", fd);

			/* decrement back the ref count */

			ion_free(spcom_dev->ion_client, ion_handle);

			mutex_unlock(&ch->lock);

			return -EINVAL;

		}

	}
@@ -1740,6 +1744,7 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch, 
			ch->ion_fd_table[i] = fd;

			pr_debug("ch [%s] locked ion buf #%d, fd [%d].\n",

				ch->name, i, fd);

			mutex_unlock(&ch->lock);

			return 0;

		}

	}
@@ -1748,6 +1753,8 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch, 
	/* decrement back the ref count */

	ion_free(spcom_dev->ion_client, ion_handle);



	mutex_unlock(&ch->lock);



	return -EFAULT;

}
@@ -1826,8 +1833,13 @@ static int spcom_handle_unlock_ion_buf_command(struct spcom_channel *ch, 
		return -EINVAL;

	}



	/* ION buf unlock doesn't involve any rx/tx data to SP. */

	mutex_lock(&ch->lock);



	ret = spcom_unlock_ion_buf(ch, fd);



	mutex_unlock(&ch->lock);



	return ret;

}