www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Liam Mark <lmark@codeaurora.org>
	Fri, 18 Jan 2019 18:37:44 +0000 (10:37 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 5 Mar 2019 16:58:01 +0000 (17:58 +0100)
commit	a0fe1581a2963e5de0a7389498c5a8d046d4d0f5
tree	a66ac4c03185d774d05ec0646ae62e110ef47d95	tree
parent	0baaa08d1e3a68f3ef92ab71aac18c56b51c6430	commit \| diff

staging: android: ion: Support cpu access during dma_buf_detach

[ Upstream commit 31eb79db420a3f94c4c45a8c0a05cd30e333f981 ]

Often userspace doesn't know when the kernel will be calling dma_buf_detach
on the buffer.
If userpace starts its CPU access at the same time as the sg list is being
freed it could end up accessing the sg list after it has been freed.

Thread A Thread B
- DMA_BUF_IOCTL_SYNC IOCT
- ion_dma_buf_begin_cpu_access
- list_for_each_entry
- ion_dma_buf_detatch
- free_duped_table
- dma_sync_sg_for_cpu

Fix this by getting the ion_buffer lock before freeing the sg table memory.

Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping")
Signed-off-by: Liam Mark <lmark@codeaurora.org>
Acked-by: Laura Abbott <labbott@redhat.com>
Acked-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>