From 1b5ab335e032ef906305cfbc7be49d291c703ced Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Aug 2018 11:04:16 +0200 Subject: [PATCH] 3.18-stable patches added patches: staging-android-ion-check-for-kref-overflow.patch --- queue-3.18/series | 1 + ...-android-ion-check-for-kref-overflow.patch | 76 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 queue-3.18/staging-android-ion-check-for-kref-overflow.patch diff --git a/queue-3.18/series b/queue-3.18/series index aa0e356032b..c68d4d1da53 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -49,3 +49,4 @@ net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch net-qca_spi-avoid-packet-drop-during-initial-sync.patch net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch +staging-android-ion-check-for-kref-overflow.patch diff --git a/queue-3.18/staging-android-ion-check-for-kref-overflow.patch b/queue-3.18/staging-android-ion-check-for-kref-overflow.patch new file mode 100644 index 00000000000..73c6faf2208 --- /dev/null +++ b/queue-3.18/staging-android-ion-check-for-kref-overflow.patch @@ -0,0 +1,76 @@ +From drosen@google.com Wed Aug 22 11:00:12 2018 +From: Daniel Rosenberg +Date: Tue, 21 Aug 2018 13:31:50 -0700 +Subject: staging: android: ion: check for kref overflow +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Daniel Rosenberg +Message-ID: <20180821203150.231997-1-drosen@google.com> + +From: Daniel Rosenberg + +This patch is against 4.4. It does not apply to master due to a large +rework of ion in 4.12 which removed the affected functions altogther. +4c23cbff073f3b9b ("staging: android: ion: Remove import interface") + +Userspace can cause the kref to handles to increment +arbitrarily high. Ensure it does not overflow. + +Signed-off-by: Daniel Rosenberg +Signed-off-by: Greg Kroah-Hartman +--- +v2: Fixed patch corruption :( + + +It applies from 3.18 to 4.11, although with a trivial conflict resolution +for the later branches. + drivers/staging/android/ion/ion.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -15,6 +15,7 @@ + * + */ + ++#include + #include + #include + #include +@@ -389,6 +390,16 @@ static void ion_handle_get(struct ion_ha + kref_get(&handle->ref); + } + ++/* Must hold the client lock */ ++static struct ion_handle *ion_handle_get_check_overflow( ++ struct ion_handle *handle) ++{ ++ if (atomic_read(&handle->ref.refcount) + 1 == 0) ++ return ERR_PTR(-EOVERFLOW); ++ ion_handle_get(handle); ++ return handle; ++} ++ + static int ion_handle_put_nolock(struct ion_handle *handle) + { + int ret; +@@ -435,9 +446,9 @@ static struct ion_handle *ion_handle_get + + handle = idr_find(&client->idr, id); + if (handle) +- ion_handle_get(handle); ++ return ion_handle_get_check_overflow(handle); + +- return handle ? handle : ERR_PTR(-EINVAL); ++ return ERR_PTR(-EINVAL); + } + + struct ion_handle *ion_handle_get_by_id(struct ion_client *client, +@@ -1197,7 +1208,7 @@ struct ion_handle *ion_import_dma_buf(st + /* if a handle exists for this buffer just take a reference to it */ + handle = ion_handle_lookup(client, buffer); + if (!IS_ERR(handle)) { +- ion_handle_get(handle); ++ handle = ion_handle_get_check_overflow(handle); + mutex_unlock(&client->lock); + goto end; + } -- 2.47.3