mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-20 13:24:30 -05:00
68 lines
2.0 KiB
Diff
68 lines
2.0 KiB
Diff
|
From 03c26a1d8c8687131da151c2e4bd5a04d08e0dec Mon Sep 17 00:00:00 2001
|
||
|
From: Ariel Yin <ayin@google.com>
|
||
|
Date: Fri, 13 Jan 2017 15:05:54 -0800
|
||
|
Subject: [PATCH] ANDROID: ion: check for kref overflow
|
||
|
|
||
|
Userspace can cause the kref to handles to increment
|
||
|
arbitrarily high. Ensure it does not overflow.
|
||
|
|
||
|
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
||
|
|
||
|
Bug: 31992382
|
||
|
Test: See bug for poc
|
||
|
Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782
|
||
|
---
|
||
|
drivers/staging/android/ion/ion.c | 17 ++++++++++++++---
|
||
|
1 file changed, 14 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
|
||
|
index cc1b3bff392ac..48b6b86a61945 100644
|
||
|
--- a/drivers/staging/android/ion/ion.c
|
||
|
+++ b/drivers/staging/android/ion/ion.c
|
||
|
@@ -16,6 +16,8 @@
|
||
|
*
|
||
|
*/
|
||
|
|
||
|
+#include <linux/atomic.h>
|
||
|
+#include <linux/err.h>
|
||
|
#include <linux/file.h>
|
||
|
#include <linux/freezer.h>
|
||
|
#include <linux/fs.h>
|
||
|
@@ -400,6 +402,15 @@ static void ion_handle_get(struct ion_handle *handle)
|
||
|
kref_get(&handle->ref);
|
||
|
}
|
||
|
|
||
|
+/* Must hold the client lock */
|
||
|
+static struct ion_handle* ion_handle_get_check_overflow(struct ion_handle *handle)
|
||
|
+{
|
||
|
+ if (atomic_read(&handle->ref.refcount) + 1 == 0)
|
||
|
+ return ERR_PTR(-EOVERFLOW);
|
||
|
+ ion_handle_get(handle);
|
||
|
+ return handle;
|
||
|
+}
|
||
|
+
|
||
|
int ion_handle_put_nolock(struct ion_handle *handle)
|
||
|
{
|
||
|
int ret;
|
||
|
@@ -445,9 +456,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
|
||
|
|
||
|
handle = idr_find(&client->idr, id);
|
||
|
if (handle)
|
||
|
- ion_handle_get(handle);
|
||
|
+ return ion_handle_get_check_overflow(handle);
|
||
|
|
||
|
- return handle ? handle : ERR_PTR(-EINVAL);
|
||
|
+ return ERR_PTR(-EINVAL);
|
||
|
}
|
||
|
|
||
|
struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
|
||
|
@@ -1339,7 +1350,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd)
|
||
|
/* if a handle exists for this buffer just take a reference to it */
|
||
|
handle = ion_handle_lookup(client, buffer);
|
||
|
if (!IS_ERR(handle)) {
|
||
|
- ion_handle_get(handle);
|
||
|
+ handle = ion_handle_get_check_overflow(handle);
|
||
|
mutex_unlock(&client->lock);
|
||
|
goto end;
|
||
|
}
|