[RAMEN9610-12171] ion: protect buffer id by buffer_lock of device

The exynos_ion_alloc_fixup function set the id
for the buffer.

The buffer id must be unique. The ida library
does its own locking without special requirement
to support unique id.
However it is possible not to set the unique id
when the returned id is error by the ida full or
other reason, and the id is set as MAX_BUFFER_ID
and updates last_buffer_id as zero because that
critical region is not protected by lock.

Signed-off-by: hyesoo.yu <hyesoo.yu@samsung.com>
Change-Id: Idf737b68995278a382c8db5708e13223f46dcf9f

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 1303db4a34bd7536e17f88dfc10d175ced10d3cc..3316a3431e57ac4ce4a974bbe6820422de5ca89b 100644 (file)
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -113,13 +113,15 @@ static struct ion_buffer *ion_buffer_create(struct ion_heap *heap,
        buffer->dev = dev;
        buffer->size = len;
 
-       ret = exynos_ion_alloc_fixup(dev, buffer);
-       if (ret < 0)
-               goto err1;
-
        INIT_LIST_HEAD(&buffer->iovas);
        mutex_init(&buffer->lock);
        mutex_lock(&dev->buffer_lock);
+       ret = exynos_ion_alloc_fixup(dev, buffer);
+       if (ret < 0) {
+               mutex_unlock(&dev->buffer_lock);
+               goto err1;
+       }
+
        ion_buffer_add(dev, buffer);
        mutex_unlock(&dev->buffer_lock);
        return buffer;