From a781d8130d626b8e6f89b7d5903cd85a73ccac85 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Aug 2018 11:05:37 +0200 Subject: [PATCH] 4.4-stable patches added patches: staging-android-ion-check-for-kref-overflow.patch --- queue-4.4/series | 1 + ...-android-ion-check-for-kref-overflow.patch | 76 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 queue-4.4/staging-android-ion-check-for-kref-overflow.patch diff --git a/queue-4.4/series b/queue-4.4/series index 7198e759e78..21a7573762d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -64,3 +64,4 @@ net-qca_spi-avoid-packet-drop-during-initial-sync.patch net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch net-qca_spi-fix-log-level-if-probe-fails.patch tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch +staging-android-ion-check-for-kref-overflow.patch diff --git a/queue-4.4/staging-android-ion-check-for-kref-overflow.patch b/queue-4.4/staging-android-ion-check-for-kref-overflow.patch new file mode 100644 index 00000000000..eb54b4ede8c --- /dev/null +++ b/queue-4.4/staging-android-ion-check-for-kref-overflow.patch @@ -0,0 +1,76 @@ +From drosen@google.com Wed Aug 22 11:00:12 2018 +From: Daniel Rosenberg +Date: Tue, 21 Aug 2018 13:31:50 -0700 +Subject: staging: android: ion: check for kref overflow +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Daniel Rosenberg +Message-ID: <20180821203150.231997-1-drosen@google.com> + +From: Daniel Rosenberg + +This patch is against 4.4. It does not apply to master due to a large +rework of ion in 4.12 which removed the affected functions altogther. +4c23cbff073f3b9b ("staging: android: ion: Remove import interface") + +Userspace can cause the kref to handles to increment +arbitrarily high. Ensure it does not overflow. + +Signed-off-by: Daniel Rosenberg +Signed-off-by: Greg Kroah-Hartman +--- +v2: Fixed patch corruption :( + + +It applies from 3.18 to 4.11, although with a trivial conflict resolution +for the later branches. + drivers/staging/android/ion/ion.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -15,6 +15,7 @@ + * + */ + ++#include + #include + #include + #include +@@ -387,6 +388,16 @@ static void ion_handle_get(struct ion_ha + kref_get(&handle->ref); + } + ++/* Must hold the client lock */ ++static struct ion_handle *ion_handle_get_check_overflow( ++ struct ion_handle *handle) ++{ ++ if (atomic_read(&handle->ref.refcount) + 1 == 0) ++ return ERR_PTR(-EOVERFLOW); ++ ion_handle_get(handle); ++ return handle; ++} ++ + static int ion_handle_put_nolock(struct ion_handle *handle) + { + int ret; +@@ -433,9 +444,9 @@ static struct ion_handle *ion_handle_get + + handle = idr_find(&client->idr, id); + if (handle) +- ion_handle_get(handle); ++ return ion_handle_get_check_overflow(handle); + +- return handle ? handle : ERR_PTR(-EINVAL); ++ return ERR_PTR(-EINVAL); + } + + struct ion_handle *ion_handle_get_by_id(struct ion_client *client, +@@ -1202,7 +1213,7 @@ struct ion_handle *ion_import_dma_buf(st + /* if a handle exists for this buffer just take a reference to it */ + handle = ion_handle_lookup(client, buffer); + if (!IS_ERR(handle)) { +- ion_handle_get(handle); ++ handle = ion_handle_get_check_overflow(handle); + mutex_unlock(&client->lock); + goto end; + } -- 2.47.3