[thirdparty/kernel/stable-queue.git] / releases / 4.9.109 / staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch

From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@redhat.com>
Date: Mon, 14 May 2018 14:35:09 -0700
Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy

From: Laura Abbott <labbott@redhat.com>

commit 45ad559a29629cb1c64ee636563c69b71524f077 upstream.

Syzbot reported yet another warning with Ion:

WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
Kernel panic - not syncing: panic_on_warn set ...

This is catching that a buffer was freed with an existing kernel mapping
still present. This can be easily be triggered from userspace by calling
DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
pr_warn_once to indicate the error without being disruptive.

Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/android/ion/ion.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -192,8 +192,11 @@ err2:
 
 void ion_buffer_destroy(struct ion_buffer *buffer)
 {
-	if (WARN_ON(buffer->kmap_cnt > 0))
+	if (buffer->kmap_cnt > 0) {
+		pr_warn_once("%s: buffer still mapped in the kernel\n",
+			     __func__);
 		buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
+	}
 	buffer->heap->ops->free(buffer);
 	vfree(buffer->pages);
 	kfree(buffer);
Commit	Line	Data
1b52f688 GKH	1	From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001
	2	From: Laura Abbott <labbott@redhat.com>
	3	Date: Mon, 14 May 2018 14:35:09 -0700
	4	Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
	5
	6	From: Laura Abbott <labbott@redhat.com>
	7
	8	commit 45ad559a29629cb1c64ee636563c69b71524f077 upstream.
	9
	10	Syzbot reported yet another warning with Ion:
	11
	12	WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
	13	ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
	14	Kernel panic - not syncing: panic_on_warn set ...
	15
	16	This is catching that a buffer was freed with an existing kernel mapping
	17	still present. This can be easily be triggered from userspace by calling
	18	DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
	19	pr_warn_once to indicate the error without being disruptive.
	20
	21	Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
	22	Reported-by: syzbot <syzkaller@googlegroups.com>
	23	Signed-off-by: Laura Abbott <labbott@redhat.com>
	24	Cc: stable <stable@vger.kernel.org>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26
	27	---
	28	drivers/staging/android/ion/ion.c \| 5 ++++-
	29	1 file changed, 4 insertions(+), 1 deletion(-)
	30
	31	--- a/drivers/staging/android/ion/ion.c
	32	+++ b/drivers/staging/android/ion/ion.c
	33	@@ -192,8 +192,11 @@ err2:
	34
	35	void ion_buffer_destroy(struct ion_buffer *buffer)
	36	{
	37	- if (WARN_ON(buffer->kmap_cnt > 0))
	38	+ if (buffer->kmap_cnt > 0) {
	39	+ pr_warn_once("%s: buffer still mapped in the kernel\n",
	40	+ __func__);
	41	buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
	42	+ }
	43	buffer->heap->ops->free(buffer);
	44	vfree(buffer->pages);
	45	kfree(buffer);