staging: android: ion: Support cpu access during dma_buf_detach

This change “staging: android: ion: Support cpu access during dma_buf_detach” in Linux kernel is authored by Liam Mark <lmark [at]> on Fri Jan 18 10:37:44 2019 -0800.

staging: android: ion: Support cpu access during dma_buf_detach

Often userspace doesn't know when the kernel will be calling dma_buf_detach
on the buffer.
If userpace starts its CPU access at the same time as the sg list is being
freed it could end up accessing the sg list after it has been freed.

Thread A				Thread B
 - ion_dma_buf_begin_cpu_access
  - list_for_each_entry
					- ion_dma_buf_detatch
					 - free_duped_table
   - dma_sync_sg_for_cpu

Fix this by getting the ion_buffer lock before freeing the sg table memory.

Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping")
Signed-off-by: Liam Mark <>
Acked-by: Laura Abbott <>
Acked-by: Andrew F. Davis <>
Signed-off-by: Greg Kroah-Hartman <>

This Linux change may have been applied to various maintained Linux releases and you can find Linux releases including commit 31eb79d.

There are 2 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/staging/android/ion/ion.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index a0802de..6f5afab 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -248,10 +248,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf,
 	struct ion_dma_buf_attachment *a = attachment->priv;
 	struct ion_buffer *buffer = dmabuf->priv;
-	free_duped_table(a->table);
+	free_duped_table(a->table);

The commit for this change in Linux stable tree is 31eb79d (patch).

Leave a Reply

Your email address will not be published. Required fields are marked *