ion: hold reference to handle after ion_uhandle_get
commit
1262ab1846cf76f7549c66ef709120dbfbe6d49f (ion: replace
userspace handle cookies with idr) broke the locking in ion.
The ION_IOC_FREE and ION_IOC_MAP ioctls were relying on
ion_handle_validate to detect the case where a call raced
with another ION_IOC_FREE which may have freed the struct
ion_handle.
Rename ion_uhandle_get to ion_handle_get_by_id, and have it
take the client lock and return with an extra reference to
the handle. Make each caller put its reference once it
is done with the handle.
Also modify users of ion_handle_validate to continue to hold
the client lock after calling ion_handle_validate until
they are done with the handle, and warn if ion_handle_validate
is called without the client lock held.
Change-Id: I56da5624fca3bed4ee24806b6ec39de903543341
Signed-off-by: Colin Cross <ccross@android.com>
projects / firefly-linux-kernel-4.4.55.git / commit