3.18-stable patches

added patches:
	staging-android-ion-check-for-kref-overflow.patch

diff --git a/queue-3.18/series b/queue-3.18/series
index aa0e356032be25eef083b1f4e6be1a976579cb5d..c68d4d1da53f856f2416e010737f0c8bc6ddf8be 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -49,3 +49,4 @@ net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch
 net-qca_spi-avoid-packet-drop-during-initial-sync.patch
 net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch
 tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch
+staging-android-ion-check-for-kref-overflow.patch

diff --git a/queue-3.18/staging-android-ion-check-for-kref-overflow.patch b/queue-3.18/staging-android-ion-check-for-kref-overflow.patch
new file mode 100644 (file)
index 0000000..73c6faf
--- /dev/null
+++ b/queue-3.18/staging-android-ion-check-for-kref-overflow.patch
@@ -0,0 +1,76 @@
+From drosen@google.com  Wed Aug 22 11:00:12 2018
+From: Daniel Rosenberg <drosen@google.com>
+Date: Tue, 21 Aug 2018 13:31:50 -0700
+Subject: staging: android: ion: check for kref overflow
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Daniel Rosenberg <drosen@google.com>
+Message-ID: <20180821203150.231997-1-drosen@google.com>
+
+From: Daniel Rosenberg <drosen@google.com>
+
+This patch is against 4.4. It does not apply to master due to a large
+rework of ion in 4.12 which removed the affected functions altogther.
+4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
+
+Userspace can cause the kref to handles to increment
+arbitrarily high. Ensure it does not overflow.
+
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+v2: Fixed patch corruption :(
+
+
+It applies from 3.18 to 4.11, although with a trivial conflict resolution
+for the later branches.
+ drivers/staging/android/ion/ion.c |   17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/android/ion/ion.c
++++ b/drivers/staging/android/ion/ion.c
+@@ -15,6 +15,7 @@
+  *
+  */
+ 
++#include <linux/atomic.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/file.h>
+@@ -389,6 +390,16 @@ static void ion_handle_get(struct ion_ha
+       kref_get(&handle->ref);
+ }
+ 
++/* Must hold the client lock */
++static struct ion_handle *ion_handle_get_check_overflow(
++                                      struct ion_handle *handle)
++{
++      if (atomic_read(&handle->ref.refcount) + 1 == 0)
++              return ERR_PTR(-EOVERFLOW);
++      ion_handle_get(handle);
++      return handle;
++}
++
+ static int ion_handle_put_nolock(struct ion_handle *handle)
+ {
+       int ret;
+@@ -435,9 +446,9 @@ static struct ion_handle *ion_handle_get
+ 
+       handle = idr_find(&client->idr, id);
+       if (handle)
+-              ion_handle_get(handle);
++              return ion_handle_get_check_overflow(handle);
+ 
+-      return handle ? handle : ERR_PTR(-EINVAL);
++      return ERR_PTR(-EINVAL);
+ }
+ 
+ struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
+@@ -1197,7 +1208,7 @@ struct ion_handle *ion_import_dma_buf(st
+       /* if a handle exists for this buffer just take a reference to it */
+       handle = ion_handle_lookup(client, buffer);
+       if (!IS_ERR(handle)) {
+-              ion_handle_get(handle);
++              handle = ion_handle_get_check_overflow(handle);
+               mutex_unlock(&client->lock);
+               goto end;
+       }