summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSrinivas Kandagatla <srinivas.kandagatla@linaro.org>2019-08-29 12:29:25 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-09-04 14:35:11 +0300
commit5672ff4dc3898b6b74c114de2f53e667ab5a0327 (patch)
tree4cf773321c2c36af5c5ce55c401bbaf0d233273c
parent15fe27f3162ee47c0363cd8cf53b351823479063 (diff)
downloadlinux-5672ff4dc3898b6b74c114de2f53e667ab5a0327.tar.xz
misc: fastrpc: fix double refcounting on dmabuf
dma buf refcount has to be done by the driver which is going to use the fd. This driver already does refcount on the dmabuf fd if its actively using it but also does an additional refcounting via extra ioctl. This additional refcount can lead to memory leak in cases where the applications fail to call the ioctl to decrement the refcount. So remove this extra refcount in the ioctl More info of dma buf usage at drivers/dma-buf/dma-buf.c Reported-by: Mayank Chopra <mak.chopra@codeaurora.org> Reported-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> Tested-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Link: https://lore.kernel.org/r/20190829092926.12037-5-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/misc/fastrpc.c25
1 files changed, 0 insertions, 25 deletions
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 38829fa74f28..eee2bb398947 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1198,26 +1198,6 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp)
return 0;
}
-static int fastrpc_dmabuf_free(struct fastrpc_user *fl, char __user *argp)
-{
- struct dma_buf *buf;
- int info;
-
- if (copy_from_user(&info, argp, sizeof(info)))
- return -EFAULT;
-
- buf = dma_buf_get(info);
- if (IS_ERR_OR_NULL(buf))
- return -EINVAL;
- /*
- * one for the last get and other for the ALLOC_DMA_BUFF ioctl
- */
- dma_buf_put(buf);
- dma_buf_put(buf);
-
- return 0;
-}
-
static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp)
{
struct fastrpc_alloc_dma_buf bp;
@@ -1253,8 +1233,6 @@ static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp)
return -EFAULT;
}
- get_dma_buf(buf->dmabuf);
-
return 0;
}
@@ -1322,9 +1300,6 @@ static long fastrpc_device_ioctl(struct file *file, unsigned int cmd,
case FASTRPC_IOCTL_INIT_CREATE:
err = fastrpc_init_create_process(fl, argp);
break;
- case FASTRPC_IOCTL_FREE_DMA_BUFF:
- err = fastrpc_dmabuf_free(fl, argp);
- break;
case FASTRPC_IOCTL_ALLOC_DMA_BUFF:
err = fastrpc_dmabuf_alloc(fl, argp);
break;