From 21fb83cc122b2fd6b04506085c850d03f44153f4 Mon Sep 17 00:00:00 2001 From: binqi zhang Date: Tue, 10 Dec 2019 21:25:05 +0800 Subject: [PATCH] ion: fix race condition in ion driver [1/1] PD#SWPL-17365 Problem: There are race condition between ion_client_destroy and ion_debug_heap_show after adding memtrack function Solution: move debugfs_mutex to protect the ion_debug_heap_show Verify: autoreboot test on tl1 Change-Id: Ife30539426a003946db464bb7349746d991c6f36 Signed-off-by: binqi zhang --- drivers/staging/android/ion/ion.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index eb36caa58ead..d29306488e7c 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -1319,6 +1319,7 @@ static int ion_debug_heap_show(struct seq_file *s, void *unused) size_t total_size = 0; size_t total_orphaned_size = 0; #ifdef CONFIG_AMLOGIC_MODIFY + mutex_lock(&debugfs_mutex); mutex_lock(&dev->buffer_lock); seq_puts(s, "All allocated buffers listed:\n"); for (n = rb_first(&dev->buffers); n; n = rb_next(n)) { @@ -1338,8 +1339,8 @@ static int ion_debug_heap_show(struct seq_file *s, void *unused) #else seq_printf(s, "%16s %16s %16s\n", "client", "pid", "size"); seq_puts(s, "----------------------------------------------------\n"); -#endif mutex_lock(&debugfs_mutex); +#endif for (n = rb_first(&dev->clients); n; n = rb_next(n)) { struct ion_client *client = rb_entry(n, struct ion_client, node); @@ -1358,7 +1359,6 @@ static int ion_debug_heap_show(struct seq_file *s, void *unused) } ion_debug_heap_total(client, heap->id, s); } - mutex_unlock(&debugfs_mutex); #else size_t size = ion_debug_heap_total(client, heap->id); @@ -1396,6 +1396,9 @@ static int ion_debug_heap_show(struct seq_file *s, void *unused) } } mutex_unlock(&dev->buffer_lock); +#ifdef CONFIG_AMLOGIC_MODIFY + mutex_unlock(&debugfs_mutex); +#endif seq_puts(s, "----------------------------------------------------\n"); seq_printf(s, "%16s %16zu\n", "total orphaned", total_orphaned_size);