Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3455866imu; Fri, 18 Jan 2019 10:40:31 -0800 (PST) X-Google-Smtp-Source: ALg8bN7pUqaW++D20QDun7u8cNLZsD38zv2jlniVor3KHKnkICHzz7YGzxdjAjcoDX4u722qgT9W X-Received: by 2002:a17:902:9b87:: with SMTP id y7mr20351084plp.336.1547836831179; Fri, 18 Jan 2019 10:40:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547836831; cv=none; d=google.com; s=arc-20160816; b=wTdzB5fUdEmMdKFOnHlTg1jBryHW2A9eSQKh4g2zf99H0KjRCtY56sg1iCMEK798u4 d2SKvVC5hrw1IbbChw3P7HuVxEttJNTLBiYcK4AjdatVPfwid/sw+YXhgABiSTN0kfHD 8HkVkppFyjf4SPlG/GdxTDb1Dp4d7zgPxrHTlnSPRvV/yMGPN++gsbAxW/3kq67K5HlF 37gN7TmkzkYrZy9WIIbuijeTLzszDiBSIWyM8KkwY4h95dKgpdpEIb08VIzfXBk5J3tR +QZbWPIRKc+m/qonU6za3HQqoLJtLqJazBS02HgmVE35KNUgVYCYRy2pdb1CWrrComzn WgqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dmarc-filter:dkim-signature:dkim-signature; bh=FNS9T9ukoxir7q86LHs4svtzJD2vdoGIq6qMY5bsnPQ=; b=HJtuIWpd1le9DNEI/st7WAeqUBa42A+NXnVjKNASyYWLD/kk5h/MnVyH4TWPJSkf6W LjsE4WWrzbOvqp2RebzJkpnsd5TMePbSAthv/P18nXTIQpOoGQM8o9xX+Luuf3txgcnh QOaKkxkOb7hdBHOY0gd7Df0OU90G8adpmaE7gq6uWMUk71b2NEthvOiDyRF6fSAuSUUn yn+nLi7R32c9xBGIZzGR9CcYlWqzM5xkvLolnGUlpPcgNojkJuiG0FsQ5Fy6Yuzbh83U hOAw2cule6O4fUTaaFg7Xj5gtolfuj5DZWcUSuVTLM+0hFskicVz9oYEIhDkKf4H4MRj wD0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b="Zolbx6k/"; dkim=pass header.i=@codeaurora.org header.s=default header.b=RI2zIGwE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h88si5551534pfa.49.2019.01.18.10.40.12; Fri, 18 Jan 2019 10:40:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b="Zolbx6k/"; dkim=pass header.i=@codeaurora.org header.s=default header.b=RI2zIGwE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729132AbfARSiC (ORCPT + 99 others); Fri, 18 Jan 2019 13:38:02 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:35934 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728622AbfARSiA (ORCPT ); Fri, 18 Jan 2019 13:38:00 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 14A6560881; Fri, 18 Jan 2019 18:37:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1547836680; bh=PPIHWCIuL9ZdxLrN3TWiV+KHqNtXKzHC+BhUea4ckkU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zolbx6k/wUrrQQWxGPn4j2mYjYy9k0rrdUcCO2Xvp3NXBcbTW+2jn5XrJBDx2/ab+ ryPWsEeDy5yz62GchrNmK4tUFMfazQM9LRxqn4eH/esQovn8+DVGB3E9M3EnyGSjP/ QREiehQXwhWpxKkqIv7lLQWKPyzKlyzT7sEBg8lk= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.0 Received: from lmark-linux.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: lmark@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 6A1EC6079B; Fri, 18 Jan 2019 18:37:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1547836679; bh=PPIHWCIuL9ZdxLrN3TWiV+KHqNtXKzHC+BhUea4ckkU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RI2zIGwE1oO8fnHE44T/8e1zOWTiYG8ESYGHErLgrzczMfI9Ig5PuMaQOt4zjRe60 tF148m0EV5XWugVt+lg9+TTBIjJbaUOtnap7YVdfEg/5LY1KntGIrQwPKCXQJDKD7l ZQZNsdCFjtWcZCL0JYN6HFJapaod0RhOZCahIcJE= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 6A1EC6079B Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=lmark@codeaurora.org From: Liam Mark To: labbott@redhat.com, sumit.semwal@linaro.org Cc: arve@android.com, tkjos@android.com, maco@android.com, joel@joelfernandes.org, christian@brauner.io, devel@driverdev.osuosl.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, afd@ti.com, john.stultz@linaro.org, Liam Mark Subject: [PATCH 1/4] staging: android: ion: Support cpu access during dma_buf_detach Date: Fri, 18 Jan 2019 10:37:44 -0800 Message-Id: <1547836667-13695-2-git-send-email-lmark@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1547836667-13695-1-git-send-email-lmark@codeaurora.org> References: <1547836667-13695-1-git-send-email-lmark@codeaurora.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Often userspace doesn't know when the kernel will be calling dma_buf_detach on the buffer. If userpace starts its CPU access at the same time as the sg list is being freed it could end up accessing the sg list after it has been freed. Thread A Thread B - DMA_BUF_IOCTL_SYNC IOCT - ion_dma_buf_begin_cpu_access - list_for_each_entry - ion_dma_buf_detatch - free_duped_table - dma_sync_sg_for_cpu Fix this by getting the ion_buffer lock before freeing the sg table memory. Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping") Signed-off-by: Liam Mark --- drivers/staging/android/ion/ion.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index a0802de8c3a1..6f5afab7c1a1 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -248,10 +248,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf, struct ion_dma_buf_attachment *a = attachment->priv; struct ion_buffer *buffer = dmabuf->priv; - free_duped_table(a->table); mutex_lock(&buffer->lock); list_del(&a->list); mutex_unlock(&buffer->lock); + free_duped_table(a->table); kfree(a); } -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project