4.9-stable patches

added patches:
	staging-android-ion-check-for-kref-overflow.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index a225135bddd5324c4e8a9535b4ae1d2921505d6f..7354824720f1f22cf9f9fa8658028559d668c606 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -104,3 +104,4 @@ pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch
 power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch
 power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch
 cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch
+staging-android-ion-check-for-kref-overflow.patch

diff --git a/queue-4.9/staging-android-ion-check-for-kref-overflow.patch b/queue-4.9/staging-android-ion-check-for-kref-overflow.patch
new file mode 100644 (file)
index 0000000..9b30022
--- /dev/null
+++ b/queue-4.9/staging-android-ion-check-for-kref-overflow.patch
@@ -0,0 +1,71 @@
+From drosen@google.com  Mon Sep  3 18:30:20 2018
+From: Daniel Rosenberg <drosen@google.com>
+Date: Thu, 30 Aug 2018 16:09:46 -0700
+Subject: staging: android: ion: check for kref overflow
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Daniel Rosenberg <drosen@google.com>
+Message-ID: <20180830230946.228701-1-drosen@google.com>
+
+From: Daniel Rosenberg <drosen@google.com>
+
+This patch is against 4.9. It does not apply to master due to a large
+rework of ion in 4.12 which removed the affected functions altogther.
+4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
+
+Userspace can cause the kref to handles to increment
+arbitrarily high. Ensure it does not overflow.
+
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/android/ion/ion.c |   17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/android/ion/ion.c
++++ b/drivers/staging/android/ion/ion.c
+@@ -15,6 +15,7 @@
+  *
+  */
+ 
++#include <linux/atomic.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/file.h>
+@@ -305,6 +306,16 @@ static void ion_handle_get(struct ion_ha
+       kref_get(&handle->ref);
+ }
+ 
++/* Must hold the client lock */
++static struct ion_handle *ion_handle_get_check_overflow(
++                                      struct ion_handle *handle)
++{
++      if (atomic_read(&handle->ref.refcount) + 1 == 0)
++              return ERR_PTR(-EOVERFLOW);
++      ion_handle_get(handle);
++      return handle;
++}
++
+ int ion_handle_put_nolock(struct ion_handle *handle)
+ {
+       return kref_put(&handle->ref, ion_handle_destroy);
+@@ -347,9 +358,9 @@ struct ion_handle *ion_handle_get_by_id_
+ 
+       handle = idr_find(&client->idr, id);
+       if (handle)
+-              ion_handle_get(handle);
++              return ion_handle_get_check_overflow(handle);
+ 
+-      return handle ? handle : ERR_PTR(-EINVAL);
++      return ERR_PTR(-EINVAL);
+ }
+ 
+ static bool ion_handle_validate(struct ion_client *client,
+@@ -1110,7 +1121,7 @@ struct ion_handle *ion_import_dma_buf(st
+       /* if a handle exists for this buffer just take a reference to it */
+       handle = ion_handle_lookup(client, buffer);
+       if (!IS_ERR(handle)) {
+-              ion_handle_get(handle);
++              handle = ion_handle_get_check_overflow(handle);
+               mutex_unlock(&client->lock);
+               goto end;
+       }