ANDROID: page_pinner: prevent pp_buffer uninitialized access
There is a race window between page_pinner_inited set and the pp_buffer initialization which cause accessing the pp_buffer->lock. Avoid this by moving the pp_buffer initialization to page_ext_ops->init() which sets the page_pinner_inited only after the pp_buffer is initialized. Race scenario: 1) init_page_pinner is called --> page_pinner_inited is set. 2) __alloc_contig_migrate_range --> __page_pinner_failure_detect() accesses the pp_buffer->lock(yet to be initialized). 3) Then the pp_buffer is allocated and initialized. Below is the issue call stack: spin_bug+0x0 _raw_spin_lock_irqsave+0x3c __page_pinner_failure_detect+0x110 __alloc_contig_migrate_range+0x1c4 alloc_contig_range+0x130 cma_alloc+0x170 dma_alloc_contiguous+0xa0 __dma_direct_alloc_pages+0x16c dma_direct_alloc+0x88 Bug: 259024332 Bug: 240196534 Change-Id: I6849ac4d944498b9a431b47cad7adc7903c9bbaa Signed-off-by:Charan Teja Kalla <quic_charante@quicinc.com> (cherry picked from commit d47c9481) Signed-off-by:
Georgi Djakov <quic_c_gdjako@quicinc.com>
Loading
Please sign in to comment