Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp206352imj; Thu, 14 Feb 2019 18:40:53 -0800 (PST) X-Google-Smtp-Source: AHgI3IY3W0ZVQ5dmFMEM2ChnvZAYMjoYqXvSBpwJ3u14vW1Enhmr5/Va8WU07FlgzHqMqNuVAJTg X-Received: by 2002:a63:4a4d:: with SMTP id j13mr3159025pgl.127.1550198453270; Thu, 14 Feb 2019 18:40:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550198453; cv=none; d=google.com; s=arc-20160816; b=nZ5vIL5DRwI785hM4KMFQmeraJHee3x6KW8ZYyxH2fer+Lj1PI5BJxNH/rOBOdUr44 PQKO/2KRxs2THOWPkm+2S/V8akEZhii41IpFMaErd6g+lizilxiXtag967ftE/coagLL OX7uzqn4H5jnu/T4SB+4l6crAYx5yW1XHwrINwq6psLUe/Xu1gqvc/H7b3cRjiV+Xn0e V8a+U7GEtZElJaxwNG0KwYGgUia3FJ44IyLMD8Ewe3DF+Pzqyc+ztCsjNtw2T48ksTnS E1SHHsMynte1+ycIFzw9LcGSL5B05dP0jQJjbJCdlFsUOf3OLgNWiq7pqjj0tKzQNN2T GUyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=hTGZ1bWp9lZ5fdd+WsecdtSgV0qIx83iu4HpwGNUp+s=; b=I/odkvNTYbqa9ZYWJEWcnGwwidLlwFBntbFGCi9+oNNDs2WQRaI0OthfU/s/1wVBw4 AzJzKbdyAMOHgpjcKLN6x9m9VAAHp4T0YAccJ6DsCGOE5442vccmmVrDwvJF5vojJc+D pKI9I0DLsjws1Af+hc4g+yzIqC9wzvNos/deIRJJtZdLxGut9Bf0iwBP/QPI6Z1Ngbnw ZPSv+aZxcvblN8mWBPBN0LaO0D5XeI7aOvLi+xoaG1QHJKhxYIwZXoRYSZT+5a0iMGlQ kwYkyGpwvSBuAXPmyjr9Lpf91y0yJ6qOFLGkbiooXEuEoN6ZfdsshHp7edsPW5CMxRN/ uosA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1YH3pyDz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1si3989337pgb.192.2019.02.14.18.40.37; Thu, 14 Feb 2019 18:40:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1YH3pyDz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729201AbfBOCjF (ORCPT + 99 others); Thu, 14 Feb 2019 21:39:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:50374 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390228AbfBOCKP (ORCPT ); Thu, 14 Feb 2019 21:10:15 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 95A07222C9; Fri, 15 Feb 2019 02:10:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550196615; bh=9/vIXNjYur0fMrot25rWyv4k3CjtT9Ba7PlQfyShXjc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1YH3pyDzFh6pD3qoNvVNgFW4yUpGgP7/HKLXr83RYk9gkUBie0vyguWufFqYohI6j ZGmNFeAowaf0ElBkvmB69ZW/miYh1ZFhkpywXdBCMKqRloqlLD7YsBflb/hSHeqDaB K2UOG4vlMCiQQrPGlxz5E07zIJWmAe0aBAXJHo2I= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Liam Mark , Greg Kroah-Hartman , Sasha Levin , devel@driverdev.osuosl.org, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.20 47/77] staging: android: ion: Support cpu access during dma_buf_detach Date: Thu, 14 Feb 2019 21:08:25 -0500 Message-Id: <20190215020855.176727-47-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190215020855.176727-1-sashal@kernel.org> References: <20190215020855.176727-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Liam Mark [ Upstream commit 31eb79db420a3f94c4c45a8c0a05cd30e333f981 ] Often userspace doesn't know when the kernel will be calling dma_buf_detach on the buffer. If userpace starts its CPU access at the same time as the sg list is being freed it could end up accessing the sg list after it has been freed. Thread A Thread B - DMA_BUF_IOCTL_SYNC IOCT - ion_dma_buf_begin_cpu_access - list_for_each_entry - ion_dma_buf_detatch - free_duped_table - dma_sync_sg_for_cpu Fix this by getting the ion_buffer lock before freeing the sg table memory. Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping") Signed-off-by: Liam Mark Acked-by: Laura Abbott Acked-by: Andrew F. Davis Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/staging/android/ion/ion.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 99073325b0c0..45c7f829e387 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -237,10 +237,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf, struct ion_dma_buf_attachment *a = attachment->priv; struct ion_buffer *buffer = dmabuf->priv; - free_duped_table(a->table); mutex_lock(&buffer->lock); list_del(&a->list); mutex_unlock(&buffer->lock); + free_duped_table(a->table); kfree(a); } -- 2.19.1