Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp2281824imb; Mon, 4 Mar 2019 00:41:26 -0800 (PST) X-Google-Smtp-Source: APXvYqyBo7CmiLegde6BINzgGU7kHXylCBept+fZMY1Kx5hAYL0IVIwc/QiT0QRfsclkfg3OqVEJ X-Received: by 2002:a63:54c:: with SMTP id 73mr17282212pgf.295.1551688886883; Mon, 04 Mar 2019 00:41:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551688886; cv=none; d=google.com; s=arc-20160816; b=mE5ZIKyWvhWUFNCmtubP5jgUpKsbGsNUiJwH88hCX7vrt28L6y3fGgRCVxMtKzMdQ4 fWTlAGvpoSV63Mm8b+ZZleuD51gttJ3ICQVhhx8IHzDRHpCIuJdBSglepxSjglELCUCY eQM0ZMnnKinE/jgOhYVNXrR8iJ2l5fF1YMKAYNV1gZ3FL+ExClUr0PPW5AVP1SXmdw6f F/dO89QtAafzlyldRa8exyyrR+VQBVSZipsNTbpPkLVyc5N1Vm117t7ULZcJGhxd+SCk hIM0AnJ+BkLrKKEkGQpYgvW5ufNgrKBv3GVdA1OzBUvsNH/ADNkIUYtGxJXwVqTnZwiL ZU/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UaIHV1k71XaO134DtFXCTgMWV/LpEE51lBgT/JkJ5+Q=; b=aByKHTlkwIqt/Z/K8Kj2ZvuKP4K6sP1mq4ZNVqM54YjfEiyCBsFUXgCq9HoVnfTzcZ 1inlFlSyc1wBTAhyP2eRDk+zf3hsMFGvVa8+qFiOdqAfEQS54iY/cNLcBvCFDHZizzNk 3zDiWvdss6U345STFNmtqD0Z+51KlBhILD/cGWXAuVfJhMjpt4oVXwFp05KiRe2aqqxa Bs8uLZbFtaAHfxkU7O1K7/FnYfKtE4ncSHo+yqd4mtQy1QM29/bgni30a7gG4sRfUlXE Vtm7xvkQb62ZJeymox+H5o0xpnfR2Sc0WmHVE1DPiYYECELC8rlROgyj6iCuDzCC3ejT HkoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2pyfH9W+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 23si4672631pgc.220.2019.03.04.00.41.11; Mon, 04 Mar 2019 00:41:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2pyfH9W+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728215AbfCDIeA (ORCPT + 99 others); Mon, 4 Mar 2019 03:34:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:39176 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728205AbfCDId5 (ORCPT ); Mon, 4 Mar 2019 03:33:57 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 03E2B208E4; Mon, 4 Mar 2019 08:33:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551688436; bh=rrFGu8oDa2eMsQnIPvYzQnpAmMv2MWPVQIinnXamfuk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2pyfH9W+h+wOAvZX3BUz4zSDu1p7P3G97Oj+a+539/3N/CPh3EtTa1Q/kflQ/HN6U Cy8bROA57bvcvnWjNZMiEk/mSvW1va4eFlFkchSy1Mwoc5zMjF86IaQsRObOh/p3Qt fVOEFq/goBxGFMKa/KlKmjk+keN3/RrqDOanrsv4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Liam Mark , Laura Abbott , "Andrew F. Davis" , Sasha Levin Subject: [PATCH 4.20 43/88] staging: android: ion: Support cpu access during dma_buf_detach Date: Mon, 4 Mar 2019 09:22:26 +0100 Message-Id: <20190304081632.273399171@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190304081630.610632175@linuxfoundation.org> References: <20190304081630.610632175@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 31eb79db420a3f94c4c45a8c0a05cd30e333f981 ] Often userspace doesn't know when the kernel will be calling dma_buf_detach on the buffer. If userpace starts its CPU access at the same time as the sg list is being freed it could end up accessing the sg list after it has been freed. Thread A Thread B - DMA_BUF_IOCTL_SYNC IOCT - ion_dma_buf_begin_cpu_access - list_for_each_entry - ion_dma_buf_detatch - free_duped_table - dma_sync_sg_for_cpu Fix this by getting the ion_buffer lock before freeing the sg table memory. Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping") Signed-off-by: Liam Mark Acked-by: Laura Abbott Acked-by: Andrew F. Davis Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/staging/android/ion/ion.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 99073325b0c00..45c7f829e3872 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -237,10 +237,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf, struct ion_dma_buf_attachment *a = attachment->priv; struct ion_buffer *buffer = dmabuf->priv; - free_duped_table(a->table); mutex_lock(&buffer->lock); list_del(&a->list); mutex_unlock(&buffer->lock); + free_duped_table(a->table); kfree(a); } -- 2.19.1