[PATCH] staging: android: ion: check for kref overflow

[PATCH] staging: android: ion: check for kref overflow

[Daniel Rosenberg]

This patch is against 4.9. It does not apply to master due to a large
rework of ion in 4.12 which removed the affected functions altogther.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/android/ion/ion.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 6f9974cb0e152..48821948fa487 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -15,6 +15,7 @@
  *
  */
 
+#include <linux/atomic.h>
 #include <linux/device.h>
 #include <linux/err.h>
 #include <linux/file.h>
@@ -305,6 +306,16 @@ static void ion_handle_get(struct ion_handle *handle)
 	kref_get(&handle->ref);
 }
 
+/* Must hold the client lock */
+static struct ion_handle *ion_handle_get_check_overflow(
+					struct ion_handle *handle)
+{
+	if (atomic_read(&handle->ref.refcount) + 1 == 0)
+		return ERR_PTR(-EOVERFLOW);
+	ion_handle_get(handle);
+	return handle;
+}
+
 int ion_handle_put_nolock(struct ion_handle *handle)
 {
 	return kref_put(&handle->ref, ion_handle_destroy);
@@ -347,9 +358,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
 
 	handle = idr_find(&client->idr, id);
 	if (handle)
-		ion_handle_get(handle);
+		return ion_handle_get_check_overflow(handle);
 
-	return handle ? handle : ERR_PTR(-EINVAL);
+	return ERR_PTR(-EINVAL);
 }
 
 struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
@@ -1100,7 +1111,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client,
 	/* if a handle exists for this buffer just take a reference to it */
 	handle = ion_handle_lookup(client, buffer);
 	if (!IS_ERR(handle)) {
-		ion_handle_get(handle);
+		handle = ion_handle_get_check_overflow(handle);
 		mutex_unlock(&client->lock);
 		goto end;
 	}
-- 
2.19.0.rc0.228.g281dcd1b4d0-goog

Re: [PATCH] staging: android: ion: check for kref overflow

[Greg Kroah-Hartman]

On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote:
> This patch is against 4.9. It does not apply to master due to a large
> rework of ion in 4.12 which removed the affected functions altogther.
> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
> 
> Userspace can cause the kref to handles to increment
> arbitrarily high. Ensure it does not overflow.
> 
> Signed-off-by: Daniel Rosenberg <drosen@google.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

I signed off on this?  Where?  When?  Are you sure?

greg k-h

Re: [PATCH] staging: android: ion: check for kref overflow

[Daniel Rosenberg]

On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote:
> On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote:
>> This patch is against 4.9. It does not apply to master due to a large
>> rework of ion in 4.12 which removed the affected functions altogther.
>> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
>>
>> Userspace can cause the kref to handles to increment
>> arbitrarily high. Ensure it does not overflow.
>>
>> Signed-off-by: Daniel Rosenberg <drosen@google.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> I signed off on this?  Where?  When?  Are you sure?
>
> greg k-h
The sign off was on the 4.4.y version that I cherry-picked this from. 
There was a trivial conflict moving it to 4.9, but it did not modify any 
changed lines, so I hadn't thought that was worth noting on the patch. I 
apologise if leaving the signed-off-by was incorrect here.

-Daniel

Re: [PATCH] staging: android: ion: check for kref overflow

[Greg Kroah-Hartman]

On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote:
> On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote:
> > On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote:
> > > This patch is against 4.9. It does not apply to master due to a large
> > > rework of ion in 4.12 which removed the affected functions altogther.
> > > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
> > > 
> > > Userspace can cause the kref to handles to increment
> > > arbitrarily high. Ensure it does not overflow.
> > > 
> > > Signed-off-by: Daniel Rosenberg <drosen@google.com>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > I signed off on this?  Where?  When?  Are you sure?
> > 
> > greg k-h
> The sign off was on the 4.4.y version that I cherry-picked this from.

Ah that wasn't obvious at all.  What is that git commit id?  You need to
give us a hint as to what is going on when you do that :)

> There was a trivial conflict moving it to 4.9, but it did not modify
> any changed lines, so I hadn't thought that was worth noting on the
> patch. I apologise if leaving the signed-off-by was incorrect here.

Why did I only apply this to 4.4 and not 4.9 when the original patch was
submitted?  That seems odd.

thanks,

greg k-h

Re: [PATCH] staging: android: ion: check for kref overflow

[Daniel Rosenberg]

On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote:
> On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote:
>> The sign off was on the 4.4.y version that I cherry-picked this from.
> Ah that wasn't obvious at all.  What is that git commit id?  You need to
> give us a hint as to what is going on when you do that :)
b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y
>> There was a trivial conflict moving it to 4.9, but it did not modify
>> any changed lines, so I hadn't thought that was worth noting on the
>> patch. I apologise if leaving the signed-off-by was incorrect here.
> Why did I only apply this to 4.4 and not 4.9 when the original patch was
> submitted?  That seems odd.
>
> thanks,
>
> greg k-h
I don't know. I had included it in the range of kernel versions it 
should be applied to in the original patch, and noted the minor conflict 
for later kernel versions. You added it in 3.18 and 4.4, and I assumed 
not 4.9 because of the conflict in applying the patch, so I sent this 
version.

b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a 
separate file") is the patch that causes the minor conflict in applying 
the original patch.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is 
the patch that removes the affected code altogether in later kernels 
versions.

Re: [PATCH] staging: android: ion: check for kref overflow

[Greg Kroah-Hartman]

On Fri, Aug 31, 2018 at 02:31:38PM -0700, Daniel Rosenberg wrote:
> 
> 
> On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote:
> > On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote:
> > > The sign off was on the 4.4.y version that I cherry-picked this from.
> > Ah that wasn't obvious at all.  What is that git commit id?  You need to
> > give us a hint as to what is going on when you do that :)
> b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y
> > > There was a trivial conflict moving it to 4.9, but it did not modify
> > > any changed lines, so I hadn't thought that was worth noting on the
> > > patch. I apologise if leaving the signed-off-by was incorrect here.
> > Why did I only apply this to 4.4 and not 4.9 when the original patch was
> > submitted?  That seems odd.
> > 
> > thanks,
> > 
> > greg k-h
> I don't know. I had included it in the range of kernel versions it should be
> applied to in the original patch, and noted the minor conflict for later
> kernel versions. You added it in 3.18 and 4.4, and I assumed not 4.9 because
> of the conflict in applying the patch, so I sent this version.
> 
> b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a separate
> file") is the patch that causes the minor conflict in applying the original
> patch.
> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is the
> patch that removes the affected code altogether in later kernels versions.

Ok, that makes more sense, thanks for letting me know, this was an odd
one-off and I didn't remember it at all.

Now queued up.

greg k-h

Re: [PATCH] staging: android: ion: check for kref overflow

[Greg Kroah-Hartman]

On Mon, Aug 20, 2018 at 06:30:57PM -0700, Daniel Rosenberg wrote:
> Userspace can cause the kref to handles to increment
> arbitrarily high. Ensure it does not overflow.
> 
> Signed-off-by: Daniel Rosenberg <drosen@google.com>
> ---
> 
> This patch is against 4.4. It does not apply to master due to a large
> rework of ion in 4.12 which removed the affected functions altogther.
> It applies from 3.18 to 4.11, although with a trivial conflict resolution
> for the later branches.
> 4c23cbff073f3b9b ("staging: android: ion: Remove import interface")
> 
>  drivers/staging/android/ion/ion.c | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
> index 374f840f31a48..11f93a6314fdb 100644
> --- a/drivers/staging/android/ion/ion.c
> +++ b/drivers/staging/android/ion/ion.c
> @@ -15,6 +15,7 @@
>   *
>   */
>  
> +#include <linux/atomic.h>
>  #include <linux/device.h>
>  #include <linux/err.h>
>  #include <linux/file.h>
> @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle)
>  	kref_get(&handle->ref);
>  }
>  
> +/* Must hold the client lock */
> +static struct ion_handle *ion_handle_get_check_overflow(
> +					struct ion_handle *handle)
> +{
> +	if (atomic_read(&handle->ref.refcount) + 1 == 0)
> +		return ERR_PTR(-EOVERFLOW);
> +	ion_handle_get(handle);
> +	return handle;
> +}
> +
>  static int ion_handle_put_nolock(struct ion_handle *handle)
>  {
>  	int ret;

I tried to apply this patch, but it looks like you hand-edited it which
made it impossible to apply.  Did you do that, or did git really create
this broken diff exactly as-is?

Try applying this patch yourself, you will see the error.  I could fix
it by manually editing the diff metadata but I really shouldn't have to
as that implies you did not test the patch you sent me :(

thanks,

greg k-h

[PATCH] staging: android: ion: check for kref overflow

[Daniel Rosenberg]

Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
---

This patch is against 4.4. It does not apply to master due to a large
rework of ion in 4.12 which removed the affected functions altogther.
It applies from 3.18 to 4.11, although with a trivial conflict resolution
for the later branches.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

 drivers/staging/android/ion/ion.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 374f840f31a48..11f93a6314fdb 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -15,6 +15,7 @@
  *
  */
 
+#include <linux/atomic.h>
 #include <linux/device.h>
 #include <linux/err.h>
 #include <linux/file.h>
@@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle)
 	kref_get(&handle->ref);
 }
 
+/* Must hold the client lock */
+static struct ion_handle *ion_handle_get_check_overflow(
+					struct ion_handle *handle)
+{
+	if (atomic_read(&handle->ref.refcount) + 1 == 0)
+		return ERR_PTR(-EOVERFLOW);
+	ion_handle_get(handle);
+	return handle;
+}
+
 static int ion_handle_put_nolock(struct ion_handle *handle)
 {
 	int ret;
@@ -433,9 +443,9 @@ static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
 
 	handle = idr_find(&client->idr, id);
 	if (handle)
-		ion_handle_get(handle);
+		return ion_handle_get_check_overflow(handle);
 
-	return handle ? handle : ERR_PTR(-EINVAL);
+	return ERR_PTR(-EINVAL);
 }
 
 struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
@@ -1202,7 +1212,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd)
 	/* if a handle exists for this buffer just take a reference to it */
 	handle = ion_handle_lookup(client, buffer);
 	if (!IS_ERR(handle)) {
-		ion_handle_get(handle);
+		handle = ion_handle_get_check_overflow(handle);
 		mutex_unlock(&client->lock);
 		goto end;
 	}
-- 
2.18.0.865.gffc8e1a3cd6-goog