From patchwork Fri Dec 13 22:23:39 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Stultz X-Patchwork-Id: 22370 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pa0-f72.google.com (mail-pa0-f72.google.com [209.85.220.72]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4752223FBA for ; Fri, 13 Dec 2013 22:26:13 +0000 (UTC) Received: by mail-pa0-f72.google.com with SMTP id rd3sf1968120pab.11 for ; Fri, 13 Dec 2013 14:26:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe; bh=opccjZZOgTMxQAJxg6l6ZbubDdATNUnhUmb2Ck0U78Y=; b=C1Jr/QR9SSVnZzuWknzCTrJZJfs357nGX2Biphk6pnUcdxf/BYj5n9OuhfYg8ePdEQ vS5sbG1VbbpKYldagU1G1FTU5oX8Zu3rkqbn8C9nuvi0V2DA15aDAhYzTZ2ucA9qhl44 mzgz3DDjCYj+LkUgx7+j1O7KOQ+IlGq2T0eDblhBDr+tiZxmKA1XkbqoAN0FKkZDweNS A5t6s8vBjBgwM7gr3jNDRgYpSGWwlRQudIR/lrhhAbJCHH5iOZGz8UfbyVsTZ1Ogf+We 6P1UTKnNDMHFtzEZM6kuBB+y5+1BRGlLLx30hgvkQhidS4RheznT2AWZp1IGb7hliM8s 0qlA== X-Gm-Message-State: ALoCoQlikafiMnhh1un8Ow7UUfh8KVKvlboj9zjjRIjs+a5twQ9s9+vQr85SxXpKGRe83eLTYlYd X-Received: by 10.69.17.225 with SMTP id gh1mr3012928pbd.8.1386973572526; Fri, 13 Dec 2013 14:26:12 -0800 (PST) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.49.2.69 with SMTP id 5ls1209509qes.98.gmail; Fri, 13 Dec 2013 14:26:12 -0800 (PST) X-Received: by 10.52.120.11 with SMTP id ky11mr1882280vdb.28.1386973572259; Fri, 13 Dec 2013 14:26:12 -0800 (PST) Received: from mail-vb0-f41.google.com (mail-vb0-f41.google.com [209.85.212.41]) by mx.google.com with ESMTPS id sl9si1185293vdc.138.2013.12.13.14.26.12 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Dec 2013 14:26:12 -0800 (PST) Received-SPF: neutral (google.com: 209.85.212.41 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.212.41; Received: by mail-vb0-f41.google.com with SMTP id p14so112572vbm.14 for ; Fri, 13 Dec 2013 14:26:12 -0800 (PST) X-Received: by 10.52.165.210 with SMTP id za18mr1911313vdb.20.1386973572175; Fri, 13 Dec 2013 14:26:12 -0800 (PST) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.174.196 with SMTP id u4csp73436vcz; Fri, 13 Dec 2013 14:26:11 -0800 (PST) X-Received: by 10.68.194.9 with SMTP id hs9mr6015319pbc.95.1386973571299; Fri, 13 Dec 2013 14:26:11 -0800 (PST) Received: from mail-pd0-f180.google.com (mail-pd0-f180.google.com [209.85.192.180]) by mx.google.com with ESMTPS id xu5si2424638pab.341.2013.12.13.14.26.11 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Dec 2013 14:26:11 -0800 (PST) Received-SPF: neutral (google.com: 209.85.192.180 is neither permitted nor denied by best guess record for domain of john.stultz@linaro.org) client-ip=209.85.192.180; Received: by mail-pd0-f180.google.com with SMTP id q10so3024177pdj.25 for ; Fri, 13 Dec 2013 14:26:10 -0800 (PST) X-Received: by 10.68.254.164 with SMTP id aj4mr5968187pbd.161.1386973570869; Fri, 13 Dec 2013 14:26:10 -0800 (PST) Received: from localhost.localdomain (c-67-170-153-23.hsd1.or.comcast.net. [67.170.153.23]) by mx.google.com with ESMTPSA id qz9sm7457908pbc.3.2013.12.13.14.26.09 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Dec 2013 14:26:10 -0800 (PST) From: John Stultz To: LKML Cc: Greg KH , Android Kernel Team , Sumit Semwal , Jesse Barker , Colin Cross , KyongHo Cho , John Stultz Subject: [PATCH 005/115] gpu: ion: several bugfixes and enhancements of ION Date: Fri, 13 Dec 2013 14:23:39 -0800 Message-Id: <1386973529-4884-6-git-send-email-john.stultz@linaro.org> X-Mailer: git-send-email 1.8.3.2 In-Reply-To: <1386973529-4884-1-git-send-email-john.stultz@linaro.org> References: <1386973529-4884-1-git-send-email-john.stultz@linaro.org> X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: john.stultz@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.212.41 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , From: KyongHo Cho 1. Verifying if the size of memory allocation in ion_alloc() is aligned by PAGE_SIZE at least. If it is not, this change makes the size to be aligned by PAGE_SIZE. 2. Unmaps all mappings to the kernel and DMA address spaces when destroying ion_buffer in ion_buffer_destroy(). This prevents leaks in those virtual address spaces. 3. Makes the return value of ion_alloc() to be explicit Linux error code when it fails to allocate a buffer. 4. Makes ion_alloc() implementation simpler. Removes 'goto' statement and relavant call to ion_buffer_put(). 5. Checks if the task is valid before calling put_task_struct() due to failure on creating a ion client in ion_client_create(). 6. Returns error when buffer allocation requested by userspace is failed. Signed-off-by: KyongHo Cho [jstultz: modified patch to apply to staging directory] Signed-off-by: John Stultz --- drivers/staging/android/ion/ion.c | 52 +++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 13 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 004c0d4..3c9ca31 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -166,6 +166,12 @@ static void ion_buffer_destroy(struct kref *kref) struct ion_buffer *buffer = container_of(kref, struct ion_buffer, ref); struct ion_device *dev = buffer->dev; + if (WARN_ON(buffer->kmap_cnt > 0)) + buffer->heap->ops->unmap_kernel(buffer->heap, buffer); + + if (WARN_ON(buffer->dmap_cnt > 0)) + buffer->heap->ops->unmap_dma(buffer->heap, buffer); + buffer->heap->ops->free(buffer); mutex_lock(&dev->lock); rb_erase(&buffer->node, &dev->buffers); @@ -296,6 +302,11 @@ struct ion_handle *ion_alloc(struct ion_client *client, size_t len, * request of the caller allocate from it. Repeat until allocate has * succeeded or all heaps have been tried */ + if (WARN_ON(!len)) + return ERR_PTR(-EINVAL); + + len = PAGE_ALIGN(len); + mutex_lock(&dev->lock); for (n = rb_first(&dev->heaps); n != NULL; n = rb_next(n)) { struct ion_heap *heap = rb_entry(n, struct ion_heap, node); @@ -311,27 +322,26 @@ struct ion_handle *ion_alloc(struct ion_client *client, size_t len, } mutex_unlock(&dev->lock); - if (IS_ERR_OR_NULL(buffer)) + if (buffer == NULL) + return ERR_PTR(-ENODEV); + + if (IS_ERR(buffer)) return ERR_PTR(PTR_ERR(buffer)); handle = ion_handle_create(client, buffer); - if (IS_ERR_OR_NULL(handle)) - goto end; - /* * ion_buffer_create will create a buffer with a ref_cnt of 1, * and ion_handle_create will take a second reference, drop one here */ ion_buffer_put(buffer); - mutex_lock(&client->lock); - ion_handle_add(client, handle); - mutex_unlock(&client->lock); - return handle; + if (!IS_ERR(handle)) { + mutex_lock(&client->lock); + ion_handle_add(client, handle); + mutex_unlock(&client->lock); + } -end: - ion_buffer_put(buffer); return handle; } @@ -680,7 +690,8 @@ struct ion_client *ion_client_create(struct ion_device *dev, client = kzalloc(sizeof(struct ion_client), GFP_KERNEL); if (!client) { - put_task_struct(current->group_leader); + if (task) + put_task_struct(current->group_leader); return ERR_PTR(-ENOMEM); } @@ -798,6 +809,15 @@ static void ion_vma_open(struct vm_area_struct *vma) vma->vm_private_data = NULL; return; } + + if (!ion_handle_validate(client, handle)) { + ion_client_put(client); + vma->vm_private_data = NULL; + return; + } + + ion_handle_get(handle); + pr_debug("%s: %d client_cnt %d handle_cnt %d alloc_cnt %d\n", __func__, __LINE__, atomic_read(&client->ref.refcount), @@ -919,7 +939,7 @@ static int ion_ioctl_share(struct file *parent, struct ion_client *client, struct file *file; if (fd < 0) - return -ENFILE; + return fd; file = anon_inode_getfile("ion_share_fd", &ion_share_fops, handle->buffer, O_RDWR); @@ -948,8 +968,14 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) return -EFAULT; data.handle = ion_alloc(client, data.len, data.align, data.flags); - if (copy_to_user((void __user *)arg, &data, sizeof(data))) + + if (IS_ERR(data.handle)) + return PTR_ERR(data.handle); + + if (copy_to_user((void __user *)arg, &data, sizeof(data))) { + ion_free(client, data.handle); return -EFAULT; + } break; } case ION_IOC_FREE: