From: hyesoo.yu Date: Mon, 13 Aug 2018 09:42:52 +0000 (+0900) Subject: [RAMEN9610-12270] media: vb2: avoid accessing buffer from dmabuf_container X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9f852812c2e1e87c4fa6e029bf0d0199de645354;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [RAMEN9610-12270] media: vb2: avoid accessing buffer from dmabuf_container dmabuf_container is a dmabuf but it just has metadata of buffers that it is containing. Trying to access buffer information through the result of dma_buf_map_attachment() should be avoided. Change-Id: I55c2e9a11ce4932d98cc0e72ab25e85f27a9f670 Signed-off-by: hyesoo.yu --- diff --git a/drivers/media/v4l2-core/videobuf2-dma-sg.c b/drivers/media/v4l2-core/videobuf2-dma-sg.c index ed5c5937308e..b0010bf149e6 100644 --- a/drivers/media/v4l2-core/videobuf2-dma-sg.c +++ b/drivers/media/v4l2-core/videobuf2-dma-sg.c @@ -20,6 +20,7 @@ #include #include +#include #include #include @@ -612,7 +613,13 @@ static int vb2_dma_sg_map_dmabuf(void *mem_priv, size_t size) return -EINVAL; } - if ((buf->iova == 0) || IS_ERR_VALUE(buf->iova)) { + /* + * A dmabuf container itself is also a dmabuf. It is capable of attach + * and map but the buffer in it is not accessible because it just has + * metadata of dma-buf array. + */ + if ((dmabuf_container_get_count(buf->db_attach->dmabuf) < 0) && + ((buf->iova == 0) || IS_ERR_VALUE(buf->iova))) { if (device_get_dma_attr(buf->dev) == DEV_DMA_COHERENT) ioprot |= IOMMU_CACHE; @@ -669,7 +676,8 @@ static void vb2_dma_sg_detach_dmabuf(void *mem_priv) if (WARN_ON(buf->dma_sgt)) vb2_dma_sg_unmap_dmabuf(buf, 0); - ion_iovmm_unmap(buf->db_attach, buf->iova); + if (dmabuf_container_get_count(buf->db_attach->dmabuf) < 0) + ion_iovmm_unmap(buf->db_attach, buf->iova); /* detach this attachment */ dma_buf_detach(buf->db_attach->dmabuf, buf->db_attach);