Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp788018imm;
        Fri, 31 Aug 2018 13:18:49 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdY1Hmj2MpNhoefzM3FF8huy0LrvZlvkUaCZy6uzJu/4rrZ+ziZ1qn/gS51VaBJemgfhQuwK
X-Received: by 2002:a62:8559:: with SMTP id u86-v6mr17661052pfd.32.1535746729709;
        Fri, 31 Aug 2018 13:18:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535746729; cv=none;
        d=google.com; s=arc-20160816;
        b=1G4mDf0cO4V78Onl6otSFBZ2JpiIcmMt19lvdSeHme9AgGCB/LUvL9c8WWKo24qNkL
         A7j8DGf7ItHHWkch4RtFI2of8OTbm6kulKgOftpV2+OvleV7fs7TWomcblhAT7ZAbTan
         hy9AlhvgF5G9hv8aFa9H95VB5zFKGvn2upaHONcW1hnB7SR1l21GO4UkNjzGOT3NmMRp
         GrgH7VqHJLqYpJnzDGZ7BMX6WtePco6H8ZjYJT58vhJN2JHjIwj0M5RAbPiHtd3+vhUw
         gETlS5djCqPdskvBDXlJN5qywusXc5/gFOKeWFHwCs5Ikjm3edyq/JVZ2VERLrJAlRrY
         +OmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=4opANQdSOR1YBQ2HptujUEqJpJcFQfDZPJWhmlJDjvY=;
        b=J6f5OFZeROau4gBq6ye/YzA3buXGwQkKJJ1DahPfdMMjNDb+/DwGkoAXvFq2PKIUgx
         SS/kx8AztozetmBQE7KornzntNThtXJC5IYYBZkX9JXsbK5I3L41vt7kXgPDpCIQhtar
         g7AVvJ0i7brd2uDV7RVpzsL4RhGMf+lYpxeEGMlLK1Irsr+9BAaFVG42dojPAT0DNmlo
         IoaIN5K7EEy1lMvhtnDvb030kYIZ8ULZ1ne0t7U2bJcGeLRtn1YvS6TxNTAxPsOoc+/f
         aHRxjY9sPLhzAkBxZpzdoY2tuwQV+tVt6gNu6HZrQe1cUXHglrRWncfstIyiyg0/z0TZ
         gUPw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=YfPCGbTp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y14-v6si10332725plp.371.2018.08.31.13.18.35;
        Fri, 31 Aug 2018 13:18:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=YfPCGbTp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727672AbeIAA02 (ORCPT <rfc822;linuxbirdgao@gmail.com>
        + 99 others); Fri, 31 Aug 2018 20:26:28 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:37775 "EHLO
        mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727085AbeIAA01 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 31 Aug 2018 20:26:27 -0400
Received: by mail-pf1-f193.google.com with SMTP id h69-v6so6003257pfd.4
        for <linux-kernel@vger.kernel.org>; Fri, 31 Aug 2018 13:17:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=4opANQdSOR1YBQ2HptujUEqJpJcFQfDZPJWhmlJDjvY=;
        b=YfPCGbTpOH1x/zXEwZdcF+nHzpr+rdRPaHA6WJ08QdPXVFPAwvbr5TL0jtm7O0AeV7
         WBM/94tD4YTJRzG+YJW/ILK+xZ+qO+b8t6K+xhsXM2v53UYb186GbN6Su0qtCmAGHe4c
         +cZG3Y0tfWH3YI3u4tqHPAIweGKhel9TOz/GDiFMiweP8YmfiiAaM2H+/5T9X8gJjv9z
         +C4wZHc97jBbwdqwuMUw8F7HsdVw+wm6ekzTixURzqAWFFyEwf5fqZSG2tvYbB6mzrS1
         WFUjeUsFufMu1/SeNZBfAL3vbu5lbhFjF8+t0nvc1knPtEkkwO/EhR+uFZkcDIcSsGg4
         F8CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=4opANQdSOR1YBQ2HptujUEqJpJcFQfDZPJWhmlJDjvY=;
        b=jmgHd6/BckMcgde5NclM7Xi2+ThbAtT17aZHUkLzXbf9VNlOYJKx94aTXkXY2xuFti
         EAkdRSI4++Cc7+OsXnxH/2/kEtxZs/pcgafcW8xwbNsKX57q4eFk6aL5nGqrK4ayjZcC
         9veJWQLsfX9CCN5ONr533BM5XE8xFO86hwdEt6ewtIoHyuOE/lFfSuxIhfmhNmXGSnuP
         B3iicc6UCLEf0BGVTdtiJZJMWe6v3x7aS80o46HuLG4XwE2JHaI4+MOKuCHrKxf7R6dr
         u/EeWXOTuKhNs9JnvJQh6KtkCy9uXl6wI5T+cb9R2jXBZtuhxacauNOSPnsCQtiLsIgW
         9TVw==
X-Gm-Message-State: APzg51Bxx+HlilIFU0rHCLXhffO08MqZjaFpz3SdnEdKmiVSf0v7Abf+
        W+oS4kBDxvnrf6yk/vjevpOIiw==
X-Received: by 2002:a62:4fd9:: with SMTP id f86-v6mr17707795pfj.110.1535746642188;
        Fri, 31 Aug 2018 13:17:22 -0700 (PDT)
Received: from hackmann.mtv.corp.google.com ([2620:0:1000:1601:82f7:8f1:8c08:a97a])
        by smtp.gmail.com with ESMTPSA id r1-v6sm28724100pfi.17.2018.08.31.13.17.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 31 Aug 2018 13:17:21 -0700 (PDT)
Subject: Re: [PATCH] staging: android: ion: fix ION_IOC_{MAP,SHARE}
 use-after-free
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Greg Hackmann <ghackmann@android.com>
Cc:     linux-kernel@vger.kernel.org, Laura Abbott <labbott@redhat.com>,
        Sumit Semwal <sumit.semwal@linaro.org>,
        devel@driverdev.osuosl.org, kernel-team@android.com,
        stable@vger.kernel.org
References: <20180831200627.59712-1-ghackmann@google.com>
 <20180831201232.GA23559@kroah.com>
From:   Greg Hackmann <ghackmann@google.com>
Message-ID: <c41f1a53-7aa1-e0e3-58eb-8c1f3d34e14d@google.com>
Date:   Fri, 31 Aug 2018 13:17:20 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180831201232.GA23559@kroah.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 08/31/2018 01:12 PM, Greg Kroah-Hartman wrote:
> On Fri, Aug 31, 2018 at 01:06:27PM -0700, Greg Hackmann wrote:
>> The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
>> times while operating on one of the client's ion_handles.  This creates
>> windows where userspace can call ION_IOC_FREE on the same client with
>> the same handle, and effectively make the kernel drop its own reference.
>> For example:
>>
>> - thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
>> - thread A: starts ION_IOC_MAP and increments the refcount to 2
>> - thread B: ION_IOC_FREE decrements the refcount to 1
>> - thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
>>             handle
>> - thread A: continues ION_IOC_MAP with a dangling ion_handle * to
>>             freed memory
>>
>> Fix this by holding client->lock for the duration of
>> ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE.  Also
>> remove ion_handle_get_by_id(), since there's literally no way to use it
>> safely.
>>
>> This patch is applied on top of 4.9.y.  Kernels 4.12 and later are
>> unaffected, since all the underlying ion_handle infrastructure has been
>> ripped out.
> 
> Does 4.4.y or older also need this?  If so, can you send backports, as
> this one does not apply there.
> 
> thanks,
> 
> greg k-h
> 

Yes, 4.4.y and older will need this.  If there are no objections to this
patch, I'll send backports ASAP.