Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4540227imm; Mon, 20 Aug 2018 18:33:56 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzQBOKS7kY48+K/PkyxTDR02gydldE+mY/z9iF96D6oplRxzO54wMGhvtoU6BNTL9l/ZLSi X-Received: by 2002:a17:902:280b:: with SMTP id e11-v6mr47604806plb.298.1534815235945; Mon, 20 Aug 2018 18:33:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534815235; cv=none; d=google.com; s=arc-20160816; b=sSnXqMCBSkrxUPxBtSO1Ik0BeXtyVD4UVLdt62nx0B1cp8RRxMb3/c4sMIEjrHmos7 gmbNyUKzno1SFolC9KHt4LV/GF934SslMYeXqj68M2n2LIdz9AQJ7nRiSWxwoNw9tD3t LbjEbpzIHDIUPVgZIVKHJJH1+qkxwLQMZ8BVR1R5AooGqzvyvTdMZS3FwbdU2/GjMZvi BLqGOCTx/iSaweMlAUMCiBA63cGF7IOisgJkcq3c41ueA08zzPx4iTBC30lCBaFOCT8L ipC3iTMP+TdqIKuZtm9a0yTk+QKZhrTfRgLKlc6zQMp3U9cDa/w6GxwvfWrh8p4M7ZVR Bohg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=9t4ihFo9ifk1rbXHovFAPzVpTkXayIhM+kWxk3doFU4=; b=za2pLW2fzuFjTiSVLNckzqxuwPiV6cLQZuVuw1YPMCRPKMJ5frYDkPqQM8RzKJIVPv L27uFbAkRDbo94GfHYoitRE3agF+hjFV95rFPI5kr19nOGisyKOPJX8Xx9LDGea8XaFv ZDPTHikLGdo7cq3X3uVsWcR/15QGiUKZx5sTHO7Cr/7XoN3bnX/NkfPPvB8CY9o1PnjJ AH1yC0hPWzxm0lRsuRNXzW6bTBkV9riutyUYC7euHaffHvvruPqayf8FcDQrvK0tVKq5 4gxnXyLwSf/zBhlGCOzPWpX91bpEZewGt9cBneRQtVI9n2jMR4NU4X1RP0hd7kZiULnk NrmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rIJuDYad; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f9-v6si4566235pgl.554.2018.08.20.18.33.40; Mon, 20 Aug 2018 18:33:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rIJuDYad; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726722AbeHUEtf (ORCPT + 99 others); Tue, 21 Aug 2018 00:49:35 -0400 Received: from mail-pl0-f68.google.com ([209.85.160.68]:37757 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725732AbeHUEte (ORCPT ); Tue, 21 Aug 2018 00:49:34 -0400 Received: by mail-pl0-f68.google.com with SMTP id c6-v6so3132174pls.4 for ; Mon, 20 Aug 2018 18:31:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9t4ihFo9ifk1rbXHovFAPzVpTkXayIhM+kWxk3doFU4=; b=rIJuDYadO6QFrvw85dMcd+0QR6Kt/urzybKOdjZiCF8cnA8+zUsyz1f1O9Rn+gqwAs Masz50b0q8aHpfoWvE3CwtzPA0EobtdATN9OXACwHM8W6gLoU7fvFvxwyCpM8KN1wpZK F37LrL8oQANusPiaaIFa244FiiKw7yYLgbsUeeSLYjZhN3+d89u9wUQ80/kfec55W40A lCwi/u+p33HLHDyclUIE2CQwcU7N+i92JO4xPUPvdMod8Ny5QfvMVrZ8BD6tszi4rjsq qFHgAi0B5d7QRn7mVSXoiu9xv2thb83lePmJoDJFTMFjVlcTsxvYRLxzkd00cLIn0MKo +gDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9t4ihFo9ifk1rbXHovFAPzVpTkXayIhM+kWxk3doFU4=; b=HMmR8aOeR34cd7ID40LSUcfHhbdi3hTtjroZyFn5wPj4YEmmKCbbePfItHlCQe278L Q59i3pQDQim5f3fMF/wR2VNEFczb7qHdEwA0VSVHMamq0RlVoDYXz300vIjtyo7bcmrA AsQcBpLScjl3dN55lfxdg1WlskeFMK6rtUcReUxxmFfomXQzQFClqCmdzO5fBntzGjPn mz8/cqbr+eSsrOK5P4d9FrAgSnP5Mlab8uTEWsnuuPOaxwy3wInW1PlK0i1NT9rZF84Q ySI03avekQoFsnadA7sHjzwjhNFRDVVu+MAkyOnlLXwypPN/RFbGsDtiw6VKQXR4+YGh 4+wg== X-Gm-Message-State: AOUpUlEfAgr76m3A5l0sJ4yCAO9M+VR6onxXM7mCFO18G4k5zSRInOIt NLtM5N0FPxjlJpQxP1Wl4EjHmQ== X-Received: by 2002:a17:902:aa46:: with SMTP id c6-v6mr47281732plr.313.1534815096043; Mon, 20 Aug 2018 18:31:36 -0700 (PDT) Received: from drosen.mtv.corp.google.com ([2620:0:1000:1612:726:adc3:41a6:c383]) by smtp.gmail.com with ESMTPSA id n9-v6sm15774850pfg.21.2018.08.20.18.31.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Aug 2018 18:31:35 -0700 (PDT) From: Daniel Rosenberg To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Daniel Rosenberg Subject: [PATCH] staging: android: ion: check for kref overflow Date: Mon, 20 Aug 2018 18:30:57 -0700 Message-Id: <20180821013057.139644-1-drosen@google.com> X-Mailer: git-send-email 2.18.0.865.gffc8e1a3cd6-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg --- This patch is against 4.4. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. It applies from 3.18 to 4.11, although with a trivial conflict resolution for the later branches. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") drivers/staging/android/ion/ion.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 374f840f31a48..11f93a6314fdb 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -15,6 +15,7 @@ * */ +#include #include #include #include @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(&handle->ref); } +/* Must hold the client lock */ +static struct ion_handle *ion_handle_get_check_overflow( + struct ion_handle *handle) +{ + if (atomic_read(&handle->ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + static int ion_handle_put_nolock(struct ion_handle *handle) { int ret; @@ -433,9 +443,9 @@ static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(&client->idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1202,7 +1212,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd) /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(&client->lock); goto end; } -- 2.18.0.865.gffc8e1a3cd6-goog