Consider two threads. Thread 1 has an fd linked to an ion buffer
and Thread 2 has a handle to the same buffer. The two came from
the same client
Thread 1 Thread 2
-----------------------------------------
ion_import_fd
ion_import
mutex_lock(&client->lock)
ion_free
ion_handle_put
ion_handle_destroy
mutex_lock(&client->lock) <--- currently locked
ion_handle_lookup
<return reference to same handle>
mutex_unlock(&client->lock)
acquire client lock
free(handle)
Thread 1 is now holding a reference to an already freed handle.
The issue arises because thread 2 is attempting to destroy the
handle but the handle still exists on the clients list of handles.
This needs to be atomic. Fix this by taking the client lock
around ion_handle_put.
CRs-Fixed: 328348
Change-Id: I3ff5e6c50b5268fd42092bc1f2b99403e5fcd3cd
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
ec149ff980