gpu: ion: Fix race between ion_import and ion_free
If preemted during ion_free after the refcount is updated but
before the handle can be removed from the rb_tree, import
might find that handle in the tree and try to reuse it
when execution returns to free, the handle will be cleaned
up leaving the caller of import with a corrupt handle.
This patch modifies the locking to protect agains this race.
Change-Id: I31d18cc6398f0ca18e05cd919e2bcf86fa18d568
CRs-Fixed: 385283
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
[lauraa@codeaurora.org: Whitespace change and move unlock]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
diff --git a/drivers/gpu/ion/ion.c b/drivers/gpu/ion/ion.c
index 4fe1f01..31bbb1f 100644
--- a/drivers/gpu/ion/ion.c
+++ b/drivers/gpu/ion/ion.c
@@ -330,8 +330,6 @@
struct ion_client *client = handle->client;
struct ion_buffer *buffer = handle->buffer;
- mutex_lock(&client->lock);
-
mutex_lock(&buffer->lock);
while (handle->kmap_cnt)
ion_handle_kmap_put(handle);
@@ -339,7 +337,6 @@
if (!RB_EMPTY_NODE(&handle->node))
rb_erase(&handle->node, &client->handles);
- mutex_unlock(&client->lock);
ion_buffer_put(buffer);
kfree(handle);
@@ -514,8 +511,8 @@
WARN(1, "%s: invalid handle passed to free.\n", __func__);
return;
}
- mutex_unlock(&client->lock);
ion_handle_put(handle);
+ mutex_unlock(&client->lock);
}
EXPORT_SYMBOL(ion_free);