diff options
| author | Sathish Ambley <sathishambley@codeaurora.org> | 2015-12-03 09:48:08 -0800 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-23 21:23:24 -0700 |
| commit | 08f929d272cbb737e39ab83df7cd23d502119a4b (patch) | |
| tree | 0f36a437b242d2743ee6c04da4d91332e549bf9c /drivers/char/adsprpc.c | |
| parent | 1befdae1fa722adb28faa3bba9f740e818d931f7 (diff) | |
msm: ADSPRPC: Call find_vma with mmap_sem semaphore held
Calling find_vma() with out holding the mmap_sem semaphore is
not safe especially when an another thread could be removing
vmas from the list. Remove find_vma in places where it is
being used just for debugging purposes.
Change-Id: I1ac12410a0880d92c7301065aa656b5ad8d521cf
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Diffstat (limited to 'drivers/char/adsprpc.c')
| -rw-r--r-- | drivers/char/adsprpc.c | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 1f177e6c106d..4a0573924c24 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -923,11 +923,19 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) int num = buf_num_pages(buf, len); int idx = list[i].pgidx; + down_read(¤t->mm->mmap_sem); VERIFY(err, NULL != (vma = find_vma(current->mm, map->va))); - if (err) + if (err) { + up_read(¤t->mm->mmap_sem); goto bail; + } offset = buf_page_start(buf) - vma->vm_start; + up_read(¤t->mm->mmap_sem); + + VERIFY(err, offset < (uintptr_t)map->size); + if (err) + goto bail; pages[idx].addr = map->phys + offset; pages[idx].size = num << PAGE_SHIFT; } @@ -1247,9 +1255,8 @@ static int fastrpc_init_process(struct fastrpc_file *fl, goto bail; } else if (init->flags == FASTRPC_INIT_CREATE) { remote_arg_t ra[4]; - int fds[4], i, len = 0; + int fds[4]; int mflags = 0; - struct scatterlist *sg; struct { int pgid; int namelen; @@ -1268,19 +1275,6 @@ static int fastrpc_init_process(struct fastrpc_file *fl, init->memlen, mflags, &mem)); if (err) goto bail; - for_each_sg(mem->table->sgl, sg, mem->table->nents, i) { - unsigned long pfn; - struct vm_area_struct *vma = find_vma(current->mm, - init->mem + len); - if (vma && !follow_pfn(vma, init->mem + len, &pfn)) - dev_dbg(fl->apps->channel[fl->cid].dev, - "%s: VA=0x%p, PA=0x%p, len=0x%x\n", - __func__, - (void *)(uintptr_t)(mem->phys + len), - (void *)(uintptr_t)(__pfn_to_phys(pfn)), - (unsigned int)sg->length); - len += sg->length; - } inbuf.pageslen = 1; ra[0].buf.pv = (void *)&inbuf; ra[0].buf.len = sizeof(inbuf); |