From: Rebecca Schultz Zavin Date: Fri, 13 Dec 2013 22:24:01 +0000 (-0800) Subject: gpu: ion: Fix race between ion_import and ion_free X-Git-Tag: firefly_0821_release~176^2~4489^2~458 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=0e9c03a58ed599594780a69c988bd11e6459a752;p=firefly-linux-kernel-4.4.55.git gpu: ion: Fix race between ion_import and ion_free If preemted during ion_free after the refcount is updated but before the handle can be removed from the rb_tree, import might find that handle in the tree and try to reuse it when execution returns to free, the handle will be cleaned up leaving the caller of import with a corrupt handle. This patch modifies the locking to protect agains this race. Signed-off-by: Rebecca Schultz Zavin [jstultz: modified patch to apply to staging directory] Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 84229bd9bfbc..f7dc82163c71 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -253,8 +253,6 @@ static void ion_handle_destroy(struct kref *kref) struct ion_client *client = handle->client; struct ion_buffer *buffer = handle->buffer; - mutex_lock(&client->lock); - mutex_lock(&buffer->lock); while (handle->kmap_cnt) ion_handle_kmap_put(handle); @@ -262,7 +260,6 @@ static void ion_handle_destroy(struct kref *kref) if (!RB_EMPTY_NODE(&handle->node)) rb_erase(&handle->node, &client->handles); - mutex_unlock(&client->lock); ion_buffer_put(buffer); kfree(handle); @@ -406,13 +403,13 @@ void ion_free(struct ion_client *client, struct ion_handle *handle) mutex_lock(&client->lock); valid_handle = ion_handle_validate(client, handle); - mutex_unlock(&client->lock); if (!valid_handle) { WARN(1, "%s: invalid handle passed to free.\n", __func__); return; } ion_handle_put(handle); + mutex_unlock(&client->lock); } EXPORT_SYMBOL(ion_free);