mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
139 lines
3.4 KiB
Diff
139 lines
3.4 KiB
Diff
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
|
|
index ee1c2f3..e99ea9a 100755
|
|
--- a/drivers/staging/android/ion/ion.c
|
|
+++ b/drivers/staging/android/ion/ion.c
|
|
@@ -116,6 +116,7 @@
|
|
*/
|
|
struct ion_handle {
|
|
struct kref ref;
|
|
+ unsigned int user_ref_count;
|
|
struct ion_client *client;
|
|
struct ion_buffer *buffer;
|
|
struct rb_node node;
|
|
@@ -429,6 +430,50 @@
|
|
return ret;
|
|
}
|
|
|
|
+/* Must hold the client lock */
|
|
+static void user_ion_handle_get(struct ion_handle *handle)
|
|
+{
|
|
+ if (handle->user_ref_count++ == 0) {
|
|
+ kref_get(&handle->ref);
|
|
+ }
|
|
+}
|
|
+
|
|
+/* Must hold the client lock */
|
|
+static struct ion_handle* user_ion_handle_get_check_overflow(struct ion_handle *handle)
|
|
+{
|
|
+ if (handle->user_ref_count + 1 == 0)
|
|
+ return ERR_PTR(-EOVERFLOW);
|
|
+ user_ion_handle_get(handle);
|
|
+ return handle;
|
|
+}
|
|
+
|
|
+/* passes a kref to the user ref count.
|
|
+ * We know we're holding a kref to the object before and
|
|
+ * after this call, so no need to reverify handle. */
|
|
+static struct ion_handle* pass_to_user(struct ion_handle *handle)
|
|
+{
|
|
+ struct ion_client *client = handle->client;
|
|
+ struct ion_handle *ret;
|
|
+
|
|
+ mutex_lock(&client->lock);
|
|
+ ret = user_ion_handle_get_check_overflow(handle);
|
|
+ ion_handle_put_nolock(handle);
|
|
+ mutex_unlock(&client->lock);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+/* Must hold the client lock */
|
|
+static int user_ion_handle_put_nolock(struct ion_handle *handle)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ if (--handle->user_ref_count == 0) {
|
|
+ ret = ion_handle_put_nolock(handle);
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
static struct ion_handle *ion_handle_lookup(struct ion_client *client,
|
|
struct ion_buffer *buffer)
|
|
{
|
|
@@ -645,6 +690,24 @@
|
|
ion_handle_put_nolock(handle);
|
|
}
|
|
|
|
+static void user_ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
|
|
+{
|
|
+ bool valid_handle;
|
|
+
|
|
+ BUG_ON(client != handle->client);
|
|
+
|
|
+ valid_handle = ion_handle_validate(client, handle);
|
|
+ if (!valid_handle) {
|
|
+ WARN(1, "%s: invalid handle passed to free.\n", __func__);
|
|
+ return;
|
|
+ }
|
|
+ if (!handle->user_ref_count > 0) {
|
|
+ WARN(1, "%s: User does not have access!\n", __func__);
|
|
+ return;
|
|
+ }
|
|
+ user_ion_handle_put_nolock(handle);
|
|
+}
|
|
+
|
|
void ion_free(struct ion_client *client, struct ion_handle *handle)
|
|
{
|
|
BUG_ON(client != handle->client);
|
|
@@ -1439,7 +1502,7 @@
|
|
data.allocation.flags, true);
|
|
if (IS_ERR(handle))
|
|
return PTR_ERR(handle);
|
|
-
|
|
+ pass_to_user(handle);
|
|
data.allocation.handle = handle->id;
|
|
|
|
cleanup_handle = handle;
|
|
@@ -1455,7 +1518,7 @@
|
|
mutex_unlock(&client->lock);
|
|
return PTR_ERR(handle);
|
|
}
|
|
- ion_free_nolock(client, handle);
|
|
+ user_ion_free_nolock(client, handle);
|
|
ion_handle_put_nolock(handle);
|
|
mutex_unlock(&client->lock);
|
|
break;
|
|
@@ -1478,10 +1541,15 @@
|
|
{
|
|
struct ion_handle *handle;
|
|
handle = ion_import_dma_buf(client, data.fd.fd);
|
|
- if (IS_ERR(handle))
|
|
+ if (IS_ERR(handle)) {
|
|
ret = PTR_ERR(handle);
|
|
- else
|
|
- data.handle.handle = handle->id;
|
|
+ } else {
|
|
+ handle = pass_to_user(handle);
|
|
+ if (IS_ERR(handle))
|
|
+ ret = PTR_ERR(handle);
|
|
+ else
|
|
+ data.handle.handle = handle->id;
|
|
+ }
|
|
break;
|
|
}
|
|
case ION_IOC_SYNC:
|
|
@@ -1518,8 +1586,10 @@
|
|
if (dir & _IOC_READ) {
|
|
if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
|
|
if (cleanup_handle) {
|
|
- ion_free(client, cleanup_handle);
|
|
- ion_handle_put(cleanup_handle);
|
|
+ mutex_lock(&client->lock);
|
|
+ user_ion_free_nolock(client, cleanup_handle);
|
|
+ ion_handle_put_nolock(cleanup_handle);
|
|
+ mutex_unlock(&client->lock);
|
|
}
|
|
return -EFAULT;
|
|
}
|