staging: android: ion: Properly zero cached carveout allocations
There is a contract that ION returns zeroed memory.
When the carveout used by the ion carveout heap is mapped into the
kernel with a cached mapping, such as through the logical kernel
address mapping, then there are two cases where the ion carveout
heap is not properly zeroing its memory.
Case #1: In ion_carveout_heap_create() the memory is being flushed
and then it is being zeroed using an uncached mapping. It is possible
that speculative access has put data (which could be non-zero) into
the cache between the flush and the uncached zeroing. If this memory
was allocated using a cached ION allocation then the client would see
non-zero values.
Case #2: In ion_carveout_heap_free() if an uncached allocation is
being freed then the code zeros the memory using an uncached mapping
and doesn't do any cache maintenance. Speculative access to this
memory, before it was freed, could have resulted in non-zero data
being placed into the cache. If after this memory is freed it is
allocated using a cached ION allocation then the client would see
non-zero values.
The likely impact of these bugs is that any ion carveout heap clients
who are allocating cached memory, and who are relying on the zeroing,
could see functional issues due to their memory having garbage values.
Fix by invalidating the cache when cached memory is allocated.
Change-Id: Ica4362c850497ef90ff82780dc70ee62da9d112b
Signed-off-by: Liam Mark <lmark@codeaurora.org>
1 file changed