Re: [PATCH] staging: android: ion: check for kref overflow
On Fri, Aug 31, 2018 at 02:31:38PM -0700, Daniel Rosenberg wrote: > > > On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote: > > On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote: > > > The sign off was on the 4.4.y version that I cherry-picked this from. > > Ah that wasn't obvious at all. What is that git commit id? You need to > > give us a hint as to what is going on when you do that :) > b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y > > > There was a trivial conflict moving it to 4.9, but it did not modify > > > any changed lines, so I hadn't thought that was worth noting on the > > > patch. I apologise if leaving the signed-off-by was incorrect here. > > Why did I only apply this to 4.4 and not 4.9 when the original patch was > > submitted? That seems odd. > > > > thanks, > > > > greg k-h > I don't know. I had included it in the range of kernel versions it should be > applied to in the original patch, and noted the minor conflict for later > kernel versions. You added it in 3.18 and 4.4, and I assumed not 4.9 because > of the conflict in applying the patch, so I sent this version. > > b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a separate > file") is the patch that causes the minor conflict in applying the original > patch. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is the > patch that removes the affected code altogether in later kernels versions. Ok, that makes more sense, thanks for letting me know, this was an odd one-off and I didn't remember it at all. Now queued up. greg k-h
Re: [PATCH] staging: android: ion: check for kref overflow
On Fri, Aug 31, 2018 at 02:31:38PM -0700, Daniel Rosenberg wrote: > > > On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote: > > On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote: > > > The sign off was on the 4.4.y version that I cherry-picked this from. > > Ah that wasn't obvious at all. What is that git commit id? You need to > > give us a hint as to what is going on when you do that :) > b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y > > > There was a trivial conflict moving it to 4.9, but it did not modify > > > any changed lines, so I hadn't thought that was worth noting on the > > > patch. I apologise if leaving the signed-off-by was incorrect here. > > Why did I only apply this to 4.4 and not 4.9 when the original patch was > > submitted? That seems odd. > > > > thanks, > > > > greg k-h > I don't know. I had included it in the range of kernel versions it should be > applied to in the original patch, and noted the minor conflict for later > kernel versions. You added it in 3.18 and 4.4, and I assumed not 4.9 because > of the conflict in applying the patch, so I sent this version. > > b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a separate > file") is the patch that causes the minor conflict in applying the original > patch. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is the > patch that removes the affected code altogether in later kernels versions. Ok, that makes more sense, thanks for letting me know, this was an odd one-off and I didn't remember it at all. Now queued up. greg k-h
Re: [PATCH] staging: android: ion: check for kref overflow
On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote: On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote: The sign off was on the 4.4.y version that I cherry-picked this from. Ah that wasn't obvious at all. What is that git commit id? You need to give us a hint as to what is going on when you do that :) b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y There was a trivial conflict moving it to 4.9, but it did not modify any changed lines, so I hadn't thought that was worth noting on the patch. I apologise if leaving the signed-off-by was incorrect here. Why did I only apply this to 4.4 and not 4.9 when the original patch was submitted? That seems odd. thanks, greg k-h I don't know. I had included it in the range of kernel versions it should be applied to in the original patch, and noted the minor conflict for later kernel versions. You added it in 3.18 and 4.4, and I assumed not 4.9 because of the conflict in applying the patch, so I sent this version. b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a separate file") is the patch that causes the minor conflict in applying the original patch. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is the patch that removes the affected code altogether in later kernels versions.
Re: [PATCH] staging: android: ion: check for kref overflow
On 08/31/2018 08:56 AM, Greg Kroah-Hartman wrote: On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote: The sign off was on the 4.4.y version that I cherry-picked this from. Ah that wasn't obvious at all. What is that git commit id? You need to give us a hint as to what is going on when you do that :) b84ec04bae905901("staging: android: ion: check for kref overflow") in 4.4.y There was a trivial conflict moving it to 4.9, but it did not modify any changed lines, so I hadn't thought that was worth noting on the patch. I apologise if leaving the signed-off-by was incorrect here. Why did I only apply this to 4.4 and not 4.9 when the original patch was submitted? That seems odd. thanks, greg k-h I don't know. I had included it in the range of kernel versions it should be applied to in the original patch, and noted the minor conflict for later kernel versions. You added it in 3.18 and 4.4, and I assumed not 4.9 because of the conflict in applying the patch, so I sent this version. b1fa6d8acb50c8e9 ("staging: android: ion: Pull out ion ioctls to a separate file") is the patch that causes the minor conflict in applying the original patch. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") is the patch that removes the affected code altogether in later kernels versions.
Re: [PATCH] staging: android: ion: check for kref overflow
On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote: > On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote: > > On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote: > > > This patch is against 4.9. It does not apply to master due to a large > > > rework of ion in 4.12 which removed the affected functions altogther. > > > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > > > > > Userspace can cause the kref to handles to increment > > > arbitrarily high. Ensure it does not overflow. > > > > > > Signed-off-by: Daniel Rosenberg > > > Signed-off-by: Greg Kroah-Hartman > > I signed off on this? Where? When? Are you sure? > > > > greg k-h > The sign off was on the 4.4.y version that I cherry-picked this from. Ah that wasn't obvious at all. What is that git commit id? You need to give us a hint as to what is going on when you do that :) > There was a trivial conflict moving it to 4.9, but it did not modify > any changed lines, so I hadn't thought that was worth noting on the > patch. I apologise if leaving the signed-off-by was incorrect here. Why did I only apply this to 4.4 and not 4.9 when the original patch was submitted? That seems odd. thanks, greg k-h
Re: [PATCH] staging: android: ion: check for kref overflow
On Thu, Aug 30, 2018 at 06:36:18PM -0700, Daniel Rosenberg wrote: > On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote: > > On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote: > > > This patch is against 4.9. It does not apply to master due to a large > > > rework of ion in 4.12 which removed the affected functions altogther. > > > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > > > > > Userspace can cause the kref to handles to increment > > > arbitrarily high. Ensure it does not overflow. > > > > > > Signed-off-by: Daniel Rosenberg > > > Signed-off-by: Greg Kroah-Hartman > > I signed off on this? Where? When? Are you sure? > > > > greg k-h > The sign off was on the 4.4.y version that I cherry-picked this from. Ah that wasn't obvious at all. What is that git commit id? You need to give us a hint as to what is going on when you do that :) > There was a trivial conflict moving it to 4.9, but it did not modify > any changed lines, so I hadn't thought that was worth noting on the > patch. I apologise if leaving the signed-off-by was incorrect here. Why did I only apply this to 4.4 and not 4.9 when the original patch was submitted? That seems odd. thanks, greg k-h
Re: [PATCH] staging: android: ion: check for kref overflow
On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote: On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote: This patch is against 4.9. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg Signed-off-by: Greg Kroah-Hartman I signed off on this? Where? When? Are you sure? greg k-h The sign off was on the 4.4.y version that I cherry-picked this from. There was a trivial conflict moving it to 4.9, but it did not modify any changed lines, so I hadn't thought that was worth noting on the patch. I apologise if leaving the signed-off-by was incorrect here. -Daniel
Re: [PATCH] staging: android: ion: check for kref overflow
On 08/30/2018 05:41 PM, Greg Kroah-Hartman wrote: On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote: This patch is against 4.9. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg Signed-off-by: Greg Kroah-Hartman I signed off on this? Where? When? Are you sure? greg k-h The sign off was on the 4.4.y version that I cherry-picked this from. There was a trivial conflict moving it to 4.9, but it did not modify any changed lines, so I hadn't thought that was worth noting on the patch. I apologise if leaving the signed-off-by was incorrect here. -Daniel
Re: [PATCH] staging: android: ion: check for kref overflow
On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote: > This patch is against 4.9. It does not apply to master due to a large > rework of ion in 4.12 which removed the affected functions altogther. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > Userspace can cause the kref to handles to increment > arbitrarily high. Ensure it does not overflow. > > Signed-off-by: Daniel Rosenberg > Signed-off-by: Greg Kroah-Hartman I signed off on this? Where? When? Are you sure? greg k-h
Re: [PATCH] staging: android: ion: check for kref overflow
On Thu, Aug 30, 2018 at 04:09:46PM -0700, Daniel Rosenberg wrote: > This patch is against 4.9. It does not apply to master due to a large > rework of ion in 4.12 which removed the affected functions altogther. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > Userspace can cause the kref to handles to increment > arbitrarily high. Ensure it does not overflow. > > Signed-off-by: Daniel Rosenberg > Signed-off-by: Greg Kroah-Hartman I signed off on this? Where? When? Are you sure? greg k-h
[PATCH] staging: android: ion: check for kref overflow
This patch is against 4.9. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ion/ion.c | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 6f9974cb0e152..48821948fa487 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -15,6 +15,7 @@ * */ +#include #include #include #include @@ -305,6 +306,16 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(>ref); } +/* Must hold the client lock */ +static struct ion_handle *ion_handle_get_check_overflow( + struct ion_handle *handle) +{ + if (atomic_read(>ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + int ion_handle_put_nolock(struct ion_handle *handle) { return kref_put(>ref, ion_handle_destroy); @@ -347,9 +358,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(>idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1100,7 +,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(>lock); goto end; } -- 2.19.0.rc0.228.g281dcd1b4d0-goog
[PATCH] staging: android: ion: check for kref overflow
This patch is against 4.9. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ion/ion.c | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 6f9974cb0e152..48821948fa487 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -15,6 +15,7 @@ * */ +#include #include #include #include @@ -305,6 +306,16 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(>ref); } +/* Must hold the client lock */ +static struct ion_handle *ion_handle_get_check_overflow( + struct ion_handle *handle) +{ + if (atomic_read(>ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + int ion_handle_put_nolock(struct ion_handle *handle) { return kref_put(>ref, ion_handle_destroy); @@ -347,9 +358,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(>idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1100,7 +,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(>lock); goto end; } -- 2.19.0.rc0.228.g281dcd1b4d0-goog
Re: [PATCH] staging: android: ion: check for kref overflow
On Mon, Aug 20, 2018 at 06:30:57PM -0700, Daniel Rosenberg wrote: > Userspace can cause the kref to handles to increment > arbitrarily high. Ensure it does not overflow. > > Signed-off-by: Daniel Rosenberg > --- > > This patch is against 4.4. It does not apply to master due to a large > rework of ion in 4.12 which removed the affected functions altogther. > It applies from 3.18 to 4.11, although with a trivial conflict resolution > for the later branches. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > drivers/staging/android/ion/ion.c | 16 +--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/staging/android/ion/ion.c > b/drivers/staging/android/ion/ion.c > index 374f840f31a48..11f93a6314fdb 100644 > --- a/drivers/staging/android/ion/ion.c > +++ b/drivers/staging/android/ion/ion.c > @@ -15,6 +15,7 @@ > * > */ > > +#include > #include > #include > #include > @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) > kref_get(>ref); > } > > +/* Must hold the client lock */ > +static struct ion_handle *ion_handle_get_check_overflow( > + struct ion_handle *handle) > +{ > + if (atomic_read(>ref.refcount) + 1 == 0) > + return ERR_PTR(-EOVERFLOW); > + ion_handle_get(handle); > + return handle; > +} > + > static int ion_handle_put_nolock(struct ion_handle *handle) > { > int ret; I tried to apply this patch, but it looks like you hand-edited it which made it impossible to apply. Did you do that, or did git really create this broken diff exactly as-is? Try applying this patch yourself, you will see the error. I could fix it by manually editing the diff metadata but I really shouldn't have to as that implies you did not test the patch you sent me :( thanks, greg k-h
Re: [PATCH] staging: android: ion: check for kref overflow
On Mon, Aug 20, 2018 at 06:30:57PM -0700, Daniel Rosenberg wrote: > Userspace can cause the kref to handles to increment > arbitrarily high. Ensure it does not overflow. > > Signed-off-by: Daniel Rosenberg > --- > > This patch is against 4.4. It does not apply to master due to a large > rework of ion in 4.12 which removed the affected functions altogther. > It applies from 3.18 to 4.11, although with a trivial conflict resolution > for the later branches. > 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") > > drivers/staging/android/ion/ion.c | 16 +--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/staging/android/ion/ion.c > b/drivers/staging/android/ion/ion.c > index 374f840f31a48..11f93a6314fdb 100644 > --- a/drivers/staging/android/ion/ion.c > +++ b/drivers/staging/android/ion/ion.c > @@ -15,6 +15,7 @@ > * > */ > > +#include > #include > #include > #include > @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) > kref_get(>ref); > } > > +/* Must hold the client lock */ > +static struct ion_handle *ion_handle_get_check_overflow( > + struct ion_handle *handle) > +{ > + if (atomic_read(>ref.refcount) + 1 == 0) > + return ERR_PTR(-EOVERFLOW); > + ion_handle_get(handle); > + return handle; > +} > + > static int ion_handle_put_nolock(struct ion_handle *handle) > { > int ret; I tried to apply this patch, but it looks like you hand-edited it which made it impossible to apply. Did you do that, or did git really create this broken diff exactly as-is? Try applying this patch yourself, you will see the error. I could fix it by manually editing the diff metadata but I really shouldn't have to as that implies you did not test the patch you sent me :( thanks, greg k-h
[PATCH] staging: android: ion: check for kref overflow
Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg --- This patch is against 4.4. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. It applies from 3.18 to 4.11, although with a trivial conflict resolution for the later branches. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") drivers/staging/android/ion/ion.c | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 374f840f31a48..11f93a6314fdb 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -15,6 +15,7 @@ * */ +#include #include #include #include @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(>ref); } +/* Must hold the client lock */ +static struct ion_handle *ion_handle_get_check_overflow( + struct ion_handle *handle) +{ + if (atomic_read(>ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + static int ion_handle_put_nolock(struct ion_handle *handle) { int ret; @@ -433,9 +443,9 @@ static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(>idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1202,7 +1212,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd) /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(>lock); goto end; } -- 2.18.0.865.gffc8e1a3cd6-goog
[PATCH] staging: android: ion: check for kref overflow
Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg --- This patch is against 4.4. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. It applies from 3.18 to 4.11, although with a trivial conflict resolution for the later branches. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") drivers/staging/android/ion/ion.c | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 374f840f31a48..11f93a6314fdb 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -15,6 +15,7 @@ * */ +#include #include #include #include @@ -387,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(>ref); } +/* Must hold the client lock */ +static struct ion_handle *ion_handle_get_check_overflow( + struct ion_handle *handle) +{ + if (atomic_read(>ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + static int ion_handle_put_nolock(struct ion_handle *handle) { int ret; @@ -433,9 +443,9 @@ static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(>idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1202,7 +1212,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd) /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(>lock); goto end; } -- 2.18.0.865.gffc8e1a3cd6-goog