Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4680563imm; Mon, 20 Aug 2018 22:15:37 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwXHIJ/U4WOlZ3fn/Uf7/KjV9pekogyhza336wfNIDH+sJfRfpHLsHVPfLAnw6xzzFr+XFV X-Received: by 2002:a62:938e:: with SMTP id r14-v6mr27341733pfk.55.1534828536937; Mon, 20 Aug 2018 22:15:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534828536; cv=none; d=google.com; s=arc-20160816; b=rKx0xgtVOCDt+yuXICzF2arxmT9xjSKMDl4BxrJFidu8Kkvss8g5BXnDRYRAQfaHZT 0U/Silz/luyY74qFiifocmj+5RWyQrpYLctJ4tyeunAyOWj54eqofuc7Zt8TdWoBEVc5 OO8LCLQFZMYYs6W5X7JGzjaXLb4PhArm0hQdalZWF6jOWbixqeJpp476H6VNQ3npHtMP B8yaFojEkN16jOkVrXlqnVtDH7bvQDHmPsqUHE7voUwFR+lwKxt2L3TbIoTQp41ieuhc zIqZw2G44pbYOUJWoHZhN5tSevf2I/FlQC1z3/QVIRPyyBa4r9Dpyznn/oCvP9AZfPfB Kphw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=0wIgoh6QpacYGgY0/kBv1YHfIUn0chz1yaPIx6v/+WQ=; b=x4yEtVYd9eAeo/I90hF8V88EYNyTpL1IqoIj43R3OXw/Vw7KzMmKE3eFQs5R+wZI6P FshlAaKbpb/K2j6xs0VOPFELCnEClwbHIdFyBqtMPtgu6QzQBqVAsbQLQAtM6TrLoh+0 0Z1V01Y2MmuMbqw0+QjGaAKdic9BGTGQQeAMM5RC220Ka4vn8B63gASNn20zZ/hLojwo 6i1Eo7T37KFBbvsgdAyXFyyANZahRrXQ5jsXkBRM7Xot33r8aC5CXKWzov+7e2wxLkvh P/zHMPKRARC6wWxLChUZYAl8/PEK1f9tMb+RoVZgT91klPS4a8Q24ysaenjdhc96XqPy hvzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l33-v6si11093969pgm.350.2018.08.20.22.15.21; Mon, 20 Aug 2018 22:15:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726553AbeHUIcP (ORCPT + 99 others); Tue, 21 Aug 2018 04:32:15 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:51172 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726115AbeHUIcP (ORCPT ); Tue, 21 Aug 2018 04:32:15 -0400 Received: from localhost (5355525A.cm-6-6b.dynamic.ziggo.nl [83.85.82.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E0023BC8; Tue, 21 Aug 2018 05:13:40 +0000 (UTC) Date: Tue, 21 Aug 2018 07:13:36 +0200 From: Greg Kroah-Hartman To: Daniel Rosenberg Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH] staging: android: ion: check for kref overflow Message-ID: <20180821051336.GA23394@kroah.com> References: <20180821013057.139644-1-drosen@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180821013057.139644-1-drosen@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 20, 2018 at 06:30:57PM -0700, Daniel Rosenberg wrote: > Userspace can cause the kref to handles to increment > arbitrarily high. Ensure it does not overflow. > > Signed-off-by: Daniel Rosenberg > --- > > This patch is against 4.4. It does not apply to master due to a large > rework of ion in 4.12 which removed the affected functions altogther. > It applies from 3.18 to 4.11, although with a trivial conflict resolution > for the later branches. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > drivers/staging/android/ion/ion.c | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c > index 374f840f31a48..11f93a6314fdb 100644 > --- a/drivers/staging/android/ion/ion.c > +++ b/drivers/staging/android/ion/ion.c > @@ -15,6 +15,7 @@ > * > */ > > +#include > #include > #include > #include > @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) > kref_get(&handle->ref); > } > > +/* Must hold the client lock */ > +static struct ion_handle *ion_handle_get_check_overflow( > + struct ion_handle *handle) > +{ > + if (atomic_read(&handle->ref.refcount) + 1 == 0) > + return ERR_PTR(-EOVERFLOW); > + ion_handle_get(handle); > + return handle; > +} > + > static int ion_handle_put_nolock(struct ion_handle *handle) > { > int ret; I tried to apply this patch, but it looks like you hand-edited it which made it impossible to apply. Did you do that, or did git really create this broken diff exactly as-is? Try applying this patch yourself, you will see the error. I could fix it by manually editing the diff metadata but I really shouldn't have to as that implies you did not test the patch you sent me :( thanks, greg k-h