staging: ion: WARN when the handle kmap_cnt is going to wrap around

There are certain client bugs (double unmap, for example) that can cause
the handle->kmap_cnt (an unsigned int) to wrap around from zero. This
causes problems when the handle is destroyed because we have:

        while (handle->kmap_cnt)
                ion_handle_kmap_put(handle);

which takes a long time to complete when kmap_cnt starts at ~0 and can
result in a watchdog timeout.

WARN and bail when kmap_cnt is about to wrap around from zero.

Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Acked-by: Colin Cross <ccross@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index ea2c8a9addb58f2788feee5a06bec79315e1f037..389b8f67a2ec9320d12c326ba8ef1bbf80abb08b 100644 (file)
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -627,6 +627,10 @@ static void ion_handle_kmap_put(struct ion_handle *handle)
 {
        struct ion_buffer *buffer = handle->buffer;
 
+       if (!handle->kmap_cnt) {
+               WARN(1, "%s: Double unmap detected! bailing...\n", __func__);
+               return;
+       }
        handle->kmap_cnt--;
        if (!handle->kmap_cnt)
                ion_buffer_kmap_put(buffer);