This patch is against 4.9. It does not apply to master due to a large
rework of ion in 4.12 which removed the affected functions altogther.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.
Signed-off-by: Daniel Rosenberg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/android/ion/ion.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 6f9974cb0e152..48821948fa487 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -15,6 +15,7 @@
*
*/
+#include <linux/atomic.h>
#include <linux/device.h>
#include <linux/err.h>
#include <linux/file.h>
@@ -305,6 +306,16 @@ static void ion_handle_get(struct ion_handle *handle)
kref_get(&handle->ref);
}
+/* Must hold the client lock */
+static struct ion_handle *ion_handle_get_check_overflow(
+ struct ion_handle *handle)
+{
+ if (atomic_read(&handle->ref.refcount) + 1 == 0)
+ return ERR_PTR(-EOVERFLOW);
+ ion_handle_get(handle);
+ return handle;
+}
+
int ion_handle_put_nolock(struct ion_handle *handle)
{
return kref_put(&handle->ref, ion_handle_destroy);
@@ -347,9 +358,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
handle = idr_find(&client->idr, id);
if (handle)
- ion_handle_get(handle);
+ return ion_handle_get_check_overflow(handle);
- return handle ? handle : ERR_PTR(-EINVAL);
+ return ERR_PTR(-EINVAL);
}
struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
@@ -1100,7 +1111,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client,
/* if a handle exists for this buffer just take a reference to it */
handle = ion_handle_lookup(client, buffer);
if (!IS_ERR(handle)) {
- ion_handle_get(handle);
+ handle = ion_handle_get_check_overflow(handle);
mutex_unlock(&client->lock);
goto end;
}
--
2.19.0.rc0.228.g281dcd1b4d0-goog
On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote:
> This patch is against 4.9. It does not apply to master due to a large
> rework of ion in 4.12 which removed the affected functions altogther.
> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
>
> Userspace can cause the kref to handles to increment
> arbitrarily high. Ensure it does not overflow.
>
> Signed-off-by: Daniel Rosenberg <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
I signed off on this? Where? When? Are you sure?
greg k-h
On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote:
> On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote:
>> This patch is against 4.9. It does not apply to master due to a large
>> rework of ion in 4.12 which removed the affected functions altogther.
>> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
>>
>> Userspace can cause the kref to handles to increment
>> arbitrarily high. Ensure it does not overflow.
>>
>> Signed-off-by: Daniel Rosenberg <[email protected]>
>> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> I signed off on this? Where? When? Are you sure?
>
> greg k-h
The sign off was on the 4.4.y version that I cherry-picked this from.
There was a trivial conflict moving it to 4.9, but it did not modify any
changed lines, so I hadn't thought that was worth noting on the patch. I
apologise if leaving the signed-off-by was incorrect here.
-Daniel
On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote:
> On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote:
> > On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote:
> > > This patch is against 4.9. It does not apply to master due to a large
> > > rework of ion in 4.12 which removed the affected functions altogther.
> > > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
> > >
> > > Userspace can cause the kref to handles to increment
> > > arbitrarily high. Ensure it does not overflow.
> > >
> > > Signed-off-by: Daniel Rosenberg <[email protected]>
> > > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> > I signed off on this? Where? When? Are you sure?
> >
> > greg k-h
> The sign off was on the 4.4.y version that I cherry-picked this from.
Ah that wasn't obvious at all. What is that git commit id? You need to
give us a hint as to what is going on when you do that :)
> There was a trivial conflict moving it to 4.9, but it did not modify
> any changed lines, so I hadn't thought that was worth noting on the
> patch. I apologise if leaving the signed-off-by was incorrect here.
Why did I only apply this to 4.4 and not 4.9 when the original patch was
submitted? That seems odd.
thanks,
greg k-h
On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote:
> On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote:
>> The sign off was on the 4.4.y version that I cherry-picked this from.
> Ah that wasn't obvious at all. What is that git commit id? You need to
> give us a hint as to what is going on when you do that :)
b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y
>> There was a trivial conflict moving it to 4.9, but it did not modify
>> any changed lines, so I hadn't thought that was worth noting on the
>> patch. I apologise if leaving the signed-off-by was incorrect here.
> Why did I only apply this to 4.4 and not 4.9 when the original patch was
> submitted? That seems odd.
>
> thanks,
>
> greg k-h
I don't know. I had included it in the range of kernel versions it
should be applied to in the original patch, and noted the minor conflict
for later kernel versions. You added it in 3.18 and 4.4, and I assumed
not 4.9 because of the conflict in applying the patch, so I sent this
version.
b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a
separate file") is the patch that causes the minor conflict in applying
the original patch.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is
the patch that removes the affected code altogether in later kernels
versions.
On Fri, Aug 31, 2018 at 02:31:38PM -0700, Daniel Rosenberg wrote:
>
>
> On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote:
> > On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote:
> > > The sign off was on the 4.4.y version that I cherry-picked this from.
> > Ah that wasn't obvious at all. What is that git commit id? You need to
> > give us a hint as to what is going on when you do that :)
> b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y
> > > There was a trivial conflict moving it to 4.9, but it did not modify
> > > any changed lines, so I hadn't thought that was worth noting on the
> > > patch. I apologise if leaving the signed-off-by was incorrect here.
> > Why did I only apply this to 4.4 and not 4.9 when the original patch was
> > submitted? That seems odd.
> >
> > thanks,
> >
> > greg k-h
> I don't know. I had included it in the range of kernel versions it should be
> applied to in the original patch, and noted the minor conflict for later
> kernel versions. You added it in 3.18 and 4.4, and I assumed not 4.9 because
> of the conflict in applying the patch, so I sent this version.
>
> b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a separate
> file") is the patch that causes the minor conflict in applying the original
> patch.
> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is the
> patch that removes the affected code altogether in later kernels versions.
Ok, that makes more sense, thanks for letting me know, this was an odd
one-off and I didn't remember it at all.
Now queued up.
greg k-h