From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B513CC43381 for ; Fri, 15 Feb 2019 02:25:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 67C112073D for ; Fri, 15 Feb 2019 02:25:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550197543; bh=0tpjyj087VKfyg6wlo3klTaRpa3RDfgeCqbrctg8dSI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=aMXQHoc6QbdAnE7IoF4dTXixGGbXnSv3ZcdEAzfEZrPVdjIZxbtJuvwOgmawrS3Ts 8TwGu6gveyfY6bXtP0RoWvxOJzVZfapv878IjkX8svP6T1fTkCKF8otUZ8yx+aBPjX 1zXYIbyh/3LTN+KI+tP4H5s3Sxy/FbDgCIvG4HLU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729546AbfBOCZl (ORCPT ); Thu, 14 Feb 2019 21:25:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:53894 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405024AbfBOCN7 (ORCPT ); Thu, 14 Feb 2019 21:13:59 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D0F3F222D0; Fri, 15 Feb 2019 02:13:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550196838; bh=0tpjyj087VKfyg6wlo3klTaRpa3RDfgeCqbrctg8dSI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mEp652rEq7c0UGG2yrhfGBoMXG4liY+8YVgy0dzHAxwHjqGGm8XCo1+c9zUHTS+p9 vFF4YV1zl0mtYEGLLbCjp6V9amYHoxHRD/PWDlPKjXXm1/IYyX9bLf2zvXmgriB3ko sw0Ze6IcquwhL4SkLR5LzkQ7R5d/KgKV3g/ZBy7g= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Liam Mark , Greg Kroah-Hartman , Sasha Levin , devel@driverdev.osuosl.org, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.14 25/40] staging: android: ion: Support cpu access during dma_buf_detach Date: Thu, 14 Feb 2019 21:12:58 -0500 Message-Id: <20190215021313.178476-25-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190215021313.178476-1-sashal@kernel.org> References: <20190215021313.178476-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Liam Mark [ Upstream commit 31eb79db420a3f94c4c45a8c0a05cd30e333f981 ] Often userspace doesn't know when the kernel will be calling dma_buf_detach on the buffer. If userpace starts its CPU access at the same time as the sg list is being freed it could end up accessing the sg list after it has been freed. Thread A Thread B - DMA_BUF_IOCTL_SYNC IOCT - ion_dma_buf_begin_cpu_access - list_for_each_entry - ion_dma_buf_detatch - free_duped_table - dma_sync_sg_for_cpu Fix this by getting the ion_buffer lock before freeing the sg table memory. Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping") Signed-off-by: Liam Mark Acked-by: Laura Abbott Acked-by: Andrew F. Davis Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/staging/android/ion/ion.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 24cb666c9224..dd96ca61a515 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -257,10 +257,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf, struct ion_dma_buf_attachment *a = attachment->priv; struct ion_buffer *buffer = dmabuf->priv; - free_duped_table(a->table); mutex_lock(&buffer->lock); list_del(&a->list); mutex_unlock(&buffer->lock); + free_duped_table(a->table); kfree(a); } -- 2.19.1