From b4968ee80c0713e765a89c72a5bfe4b6dea7daf4 Mon Sep 17 00:00:00 2001 From: Amir Samuelov Date: Sun, 23 Apr 2017 13:53:27 +0300 Subject: [PATCH] spcom: use mutex on spcom_unlock_ion_buf() Only the channel owner app can lock/unlock a channel ion buf. However, if the app share the ION buf FD with its child tasks, they might wrongly free the same ion buf twice. The ion driver panic if a non-valid ION buff handle is provided. Change-Id: Ia8166df5ea314949090f7e94e90eff3a3ed78b19 Signed-off-by: Amir Samuelov --- drivers/soc/qcom/spcom.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c index f7b9c3f85a30..cab758f695dc 100644 --- a/drivers/soc/qcom/spcom.c +++ b/drivers/soc/qcom/spcom.c @@ -1723,12 +1723,16 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch, pr_debug("ion handle ok.\n"); + /* ION buf lock doesn't involve any rx/tx data to SP. */ + mutex_lock(&ch->lock); + /* Check if this ION buffer is already locked */ for (i = 0 ; i < ARRAY_SIZE(ch->ion_handle_table) ; i++) { if (ch->ion_handle_table[i] == ion_handle) { pr_err("fd [%d] ion buf is already locked.\n", fd); /* decrement back the ref count */ ion_free(spcom_dev->ion_client, ion_handle); + mutex_unlock(&ch->lock); return -EINVAL; } } @@ -1740,6 +1744,7 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch, ch->ion_fd_table[i] = fd; pr_debug("ch [%s] locked ion buf #%d, fd [%d].\n", ch->name, i, fd); + mutex_unlock(&ch->lock); return 0; } } @@ -1748,6 +1753,8 @@ static int spcom_handle_lock_ion_buf_command(struct spcom_channel *ch, /* decrement back the ref count */ ion_free(spcom_dev->ion_client, ion_handle); + mutex_unlock(&ch->lock); + return -EFAULT; } @@ -1826,8 +1833,13 @@ static int spcom_handle_unlock_ion_buf_command(struct spcom_channel *ch, return -EINVAL; } + /* ION buf unlock doesn't involve any rx/tx data to SP. */ + mutex_lock(&ch->lock); + ret = spcom_unlock_ion_buf(ch, fd); + mutex_unlock(&ch->lock); + return ret; }