Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0e9c03a5 authored by Rebecca Schultz Zavin's avatar Rebecca Schultz Zavin Committed by Greg Kroah-Hartman
Browse files

gpu: ion: Fix race between ion_import and ion_free 



If preemted during ion_free after the refcount is updated but
before the handle can be removed from the rb_tree, import
might find that handle in the tree and try to reuse it
when execution returns to free, the handle will be cleaned
up leaving the caller of import with a corrupt handle.
This patch modifies the locking to protect agains this race.

Signed-off-by: default avatarRebecca Schultz Zavin <rebecca@android.com>
[jstultz: modified patch to apply to staging directory]
Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 12edf53d

drivers/staging/android/ion/ion.c

+1 −4
Original line number Diff line number Diff line
@@ -253,8 +253,6 @@ static void ion_handle_destroy(struct kref *kref) 
	struct ion_client *client = handle->client;

	struct ion_buffer *buffer = handle->buffer;



	mutex_lock(&client->lock);



	mutex_lock(&buffer->lock);

	while (handle->kmap_cnt)

		ion_handle_kmap_put(handle);
@@ -262,7 +260,6 @@ static void ion_handle_destroy(struct kref *kref) 


	if (!RB_EMPTY_NODE(&handle->node))

		rb_erase(&handle->node, &client->handles);

	mutex_unlock(&client->lock);



	ion_buffer_put(buffer);

	kfree(handle);
@@ -406,13 +403,13 @@ void ion_free(struct ion_client *client, struct ion_handle *handle) 


	mutex_lock(&client->lock);

	valid_handle = ion_handle_validate(client, handle);

	mutex_unlock(&client->lock);



	if (!valid_handle) {

		WARN(1, "%s: invalid handle passed to free.\n", __func__);

		return;

	}

	ion_handle_put(handle);

	mutex_unlock(&client->lock);

}

EXPORT_SYMBOL(ion_free);