mm: ashmem: Make sure vma is valid while flushing

Ensure that the vma that the ashmem region is tied to is valid before flushing and hold the mm semaphore so that the vma does not get destroyed from under while it's being flushed. CRs-Fixed: 326685 Change-Id: I86320ffe9e6570e6ffa7dda68ab26be7aed86afd Signed-off-by: Shubhraprakash Das <sadas@codeaurora.org>
2011-12-22 14:28:07 -07:00
parent 1aa4848c00
commit cf089c4da0
1 changed files with 24 additions and 3 deletions
--- a/mm/ashmem.c
+++ b/mm/ashmem.c
@@ -673,10 +673,28 @@ static int ashmem_cache_op(struct ashmem_area *asma,
 	void (*cache_func)(unsigned long vstart, unsigned long length,
 				unsigned long pstart))
 {
+	int ret = 0;
+	struct vm_area_struct *vma;
 #ifdef CONFIG_OUTER_CACHE
 	unsigned long vaddr;
 #endif
-	mutex_lock(&ashmem_mutex);
+	if (!asma->vm_start)
+		return -EINVAL;
+
+	down_read(&current->mm->mmap_sem);
+	vma = find_vma(current->mm, asma->vm_start);
+	if (!vma) {
+		ret = -EINVAL;
+		goto done;
+	}
+	if (vma->vm_file != asma->file) {
+		ret = -EINVAL;
+		goto done;
+	}
+	if ((asma->vm_start + asma->size) > (vma->vm_start + vma->vm_end)) {
+		ret = -EINVAL;
+		goto done;
+	}
 #ifndef CONFIG_OUTER_CACHE
 	cache_func(asma->vm_start, asma->size, 0);
 #else
@@ -689,8 +707,11 @@ static int ashmem_cache_op(struct ashmem_area *asma,
 		cache_func(vaddr, PAGE_SIZE, physaddr);
 	}
 #endif
-	mutex_unlock(&ashmem_mutex);
-	return 0;
+done:
+	up_read(&current->mm->mmap_sem);
+	if (ret)
+		asma->vm_start = 0;
+	return ret;
 }

 static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)