From 06e2d61fc5d31e3925464ace7cb7ff07b84797f7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 3 Sep 2018 18:31:12 +0200 Subject: [PATCH] 4.9-stable patches added patches: staging-android-ion-check-for-kref-overflow.patch --- queue-4.9/series | 1 + ...-android-ion-check-for-kref-overflow.patch | 71 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 queue-4.9/staging-android-ion-check-for-kref-overflow.patch diff --git a/queue-4.9/series b/queue-4.9/series index a225135bddd..7354824720f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -104,3 +104,4 @@ pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch +staging-android-ion-check-for-kref-overflow.patch diff --git a/queue-4.9/staging-android-ion-check-for-kref-overflow.patch b/queue-4.9/staging-android-ion-check-for-kref-overflow.patch new file mode 100644 index 00000000000..9b30022fb4f --- /dev/null +++ b/queue-4.9/staging-android-ion-check-for-kref-overflow.patch @@ -0,0 +1,71 @@ +From drosen@google.com Mon Sep 3 18:30:20 2018 +From: Daniel Rosenberg +Date: Thu, 30 Aug 2018 16:09:46 -0700 +Subject: staging: android: ion: check for kref overflow +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Daniel Rosenberg +Message-ID: <20180830230946.228701-1-drosen@google.com> + +From: Daniel Rosenberg + +This patch is against 4.9. It does not apply to master due to a large +rework of ion in 4.12 which removed the affected functions altogther. +4c23cbff073f3b9b ("staging: android: ion: Remove import interface") + +Userspace can cause the kref to handles to increment +arbitrarily high. Ensure it does not overflow. + +Signed-off-by: Daniel Rosenberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/android/ion/ion.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -15,6 +15,7 @@ + * + */ + ++#include + #include + #include + #include +@@ -305,6 +306,16 @@ static void ion_handle_get(struct ion_ha + kref_get(&handle->ref); + } + ++/* Must hold the client lock */ ++static struct ion_handle *ion_handle_get_check_overflow( ++ struct ion_handle *handle) ++{ ++ if (atomic_read(&handle->ref.refcount) + 1 == 0) ++ return ERR_PTR(-EOVERFLOW); ++ ion_handle_get(handle); ++ return handle; ++} ++ + int ion_handle_put_nolock(struct ion_handle *handle) + { + return kref_put(&handle->ref, ion_handle_destroy); +@@ -347,9 +358,9 @@ struct ion_handle *ion_handle_get_by_id_ + + handle = idr_find(&client->idr, id); + if (handle) +- ion_handle_get(handle); ++ return ion_handle_get_check_overflow(handle); + +- return handle ? handle : ERR_PTR(-EINVAL); ++ return ERR_PTR(-EINVAL); + } + + static bool ion_handle_validate(struct ion_client *client, +@@ -1110,7 +1121,7 @@ struct ion_handle *ion_import_dma_buf(st + /* if a handle exists for this buffer just take a reference to it */ + handle = ion_handle_lookup(client, buffer); + if (!IS_ERR(handle)) { +- ion_handle_get(handle); ++ handle = ion_handle_get_check_overflow(handle); + mutex_unlock(&client->lock); + goto end; + } -- 2.47.3