From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Liam Mark <lmark@codeaurora.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
devel@driverdev.osuosl.org, dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 4.14 25/40] staging: android: ion: Support cpu access during dma_buf_detach
Date: Thu, 14 Feb 2019 21:12:58 -0500 [thread overview]
Message-ID: <20190215021313.178476-25-sashal@kernel.org> (raw)
In-Reply-To: <20190215021313.178476-1-sashal@kernel.org>
From: Liam Mark <lmark@codeaurora.org>
[ Upstream commit 31eb79db420a3f94c4c45a8c0a05cd30e333f981 ]
Often userspace doesn't know when the kernel will be calling dma_buf_detach
on the buffer.
If userpace starts its CPU access at the same time as the sg list is being
freed it could end up accessing the sg list after it has been freed.
Thread A Thread B
- DMA_BUF_IOCTL_SYNC IOCT
- ion_dma_buf_begin_cpu_access
- list_for_each_entry
- ion_dma_buf_detatch
- free_duped_table
- dma_sync_sg_for_cpu
Fix this by getting the ion_buffer lock before freeing the sg table memory.
Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping")
Signed-off-by: Liam Mark <lmark@codeaurora.org>
Acked-by: Laura Abbott <labbott@redhat.com>
Acked-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/android/ion/ion.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 24cb666c9224..dd96ca61a515 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -257,10 +257,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf,
struct ion_dma_buf_attachment *a = attachment->priv;
struct ion_buffer *buffer = dmabuf->priv;
- free_duped_table(a->table);
mutex_lock(&buffer->lock);
list_del(&a->list);
mutex_unlock(&buffer->lock);
+ free_duped_table(a->table);
kfree(a);
}
--
2.19.1
next prev parent reply other threads:[~2019-02-15 2:25 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 2:12 [PATCH AUTOSEL 4.14 01/40] drm/msm: Unblock writer if reader closes file Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 02/40] ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 03/40] ALSA: compress: prevent potential divide by zero bugs Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 04/40] ASoC: Variable "val" in function rt274_i2c_probe() could be uninitialized Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 05/40] clk: vc5: Abort clock configuration without upstream clock Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 06/40] thermal: int340x_thermal: Fix a NULL vs IS_ERR() check Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 07/40] usb: dwc3: gadget: synchronize_irq dwc irq in suspend Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 08/40] usb: dwc3: gadget: Fix the uninitialized link_state when udc starts Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 09/40] usb: gadget: Potential NULL dereference on allocation error Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 10/40] genirq: Make sure the initial affinity is not empty Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 11/40] ASoC: dapm: change snprintf to scnprintf for possible overflow Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 12/40] ASoC: imx-audmux: " Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 13/40] selftests: seccomp: use LDLIBS instead of LDFLAGS Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 14/40] selftests: gpio-mockup-chardev: Check asprintf() for error Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 15/40] ARC: fix __ffs return value to avoid build warnings Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 16/40] drivers: thermal: int340x_thermal: Fix sysfs race condition Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 17/40] staging: rtl8723bs: Fix build error with Clang when inlining is disabled Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 18/40] mac80211: fix miscounting of ttl-dropped frames Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 19/40] sched/wait: Fix rcuwait_wake_up() ordering Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 20/40] futex: Fix (possible) missed wakeup Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 21/40] locking/rwsem: " Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 22/40] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 23/40] drm/amd/powerplay: OD setting fix on Vega10 Sasha Levin
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 24/40] serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling Sasha Levin
2019-02-15 2:12 ` Sasha Levin [this message]
2019-02-15 2:12 ` [PATCH AUTOSEL 4.14 26/40] direct-io: allow direct writes to empty inodes Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 27/40] writeback: synchronize sync(2) against cgroup writeback membership switches Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 28/40] scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 29/40] net: altera_tse: fix connect_local_phy error path Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 30/40] hv_netvsc: Fix ethtool change hash key error Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 31/40] sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 32/40] ax25: fix possible use-after-free Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 33/40] net: usb: asix: ax88772_bind return error when hw_reset fail Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 34/40] net: dev_is_mac_header_xmit() true for ARPHRD_RAWIP Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 35/40] ibmveth: Do not process frames after calling napi_reschedule Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 36/40] mac80211: don't initiate TDLS connection if station is not associated to AP Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 37/40] mac80211: Add attribute aligned(2) to struct 'action' Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 38/40] cfg80211: extend range deviation for DMG Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 39/40] svm: Fix AVIC incomplete IPI emulation Sasha Levin
2019-02-15 2:13 ` [PATCH AUTOSEL 4.14 40/40] KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190215021313.178476-25-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=devel@driverdev.osuosl.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lmark@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox