From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eun Taik Lee <eun.taik.lee@samsung.com>,
Laura Abbott <labbott@redhat.com>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 3.18 46/47] staging/android/ion : fix a race condition in the ion driver
Date: Fri, 28 Apr 2017 10:32:59 +0200 [thread overview]
Message-ID: <20170428083040.192923719@linuxfoundation.org> (raw)
In-Reply-To: <20170428083038.327543269@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: EunTaik Lee <eun.taik.lee@samsung.com>
commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 upstream.
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
ion_handle_get_by_id()
(ref == 3)
ion_free()
(ref == 2)
ion_handle_put()
(ref == 1)
ion_free()
(ref == 0 so ion_handle_destroy() is
called
and the handle is freed.)
ion_handle_put() is called and it
decreases the slub's next free pointer
The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.
This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.
To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
index 7ff2a7ec871f..33b390e7ea31
---
drivers/staging/android/ion/ion.c | 55 +++++++++++++++++++++++++++++---------
1 file changed, 42 insertions(+), 13 deletions(-)
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -389,13 +389,22 @@ static void ion_handle_get(struct ion_ha
kref_get(&handle->ref);
}
-static int ion_handle_put(struct ion_handle *handle)
+static int ion_handle_put_nolock(struct ion_handle *handle)
+{
+ int ret;
+
+ ret = kref_put(&handle->ref, ion_handle_destroy);
+
+ return ret;
+}
+
+int ion_handle_put(struct ion_handle *handle)
{
struct ion_client *client = handle->client;
int ret;
mutex_lock(&client->lock);
- ret = kref_put(&handle->ref, ion_handle_destroy);
+ ret = ion_handle_put_nolock(handle);
mutex_unlock(&client->lock);
return ret;
@@ -419,20 +428,30 @@ static struct ion_handle *ion_handle_loo
return ERR_PTR(-EINVAL);
}
-static struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
+static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
int id)
{
struct ion_handle *handle;
- mutex_lock(&client->lock);
handle = idr_find(&client->idr, id);
if (handle)
ion_handle_get(handle);
- mutex_unlock(&client->lock);
return handle ? handle : ERR_PTR(-EINVAL);
}
+struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
+ int id)
+{
+ struct ion_handle *handle;
+
+ mutex_lock(&client->lock);
+ handle = ion_handle_get_by_id_nolock(client, id);
+ mutex_unlock(&client->lock);
+
+ return handle;
+}
+
static bool ion_handle_validate(struct ion_client *client,
struct ion_handle *handle)
{
@@ -534,22 +553,28 @@ struct ion_handle *ion_alloc(struct ion_
}
EXPORT_SYMBOL(ion_alloc);
-void ion_free(struct ion_client *client, struct ion_handle *handle)
+static void ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
{
bool valid_handle;
BUG_ON(client != handle->client);
- mutex_lock(&client->lock);
valid_handle = ion_handle_validate(client, handle);
if (!valid_handle) {
WARN(1, "%s: invalid handle passed to free.\n", __func__);
- mutex_unlock(&client->lock);
return;
}
+ ion_handle_put_nolock(handle);
+}
+
+void ion_free(struct ion_client *client, struct ion_handle *handle)
+{
+ BUG_ON(client != handle->client);
+
+ mutex_lock(&client->lock);
+ ion_free_nolock(client, handle);
mutex_unlock(&client->lock);
- ion_handle_put(handle);
}
EXPORT_SYMBOL(ion_free);
@@ -1278,11 +1303,15 @@ static long ion_ioctl(struct file *filp,
{
struct ion_handle *handle;
- handle = ion_handle_get_by_id(client, data.handle.handle);
- if (IS_ERR(handle))
+ mutex_lock(&client->lock);
+ handle = ion_handle_get_by_id_nolock(client, data.handle.handle);
+ if (IS_ERR(handle)) {
+ mutex_unlock(&client->lock);
return PTR_ERR(handle);
- ion_free(client, handle);
- ion_handle_put(handle);
+ }
+ ion_free_nolock(client, handle);
+ ion_handle_put_nolock(handle);
+ mutex_unlock(&client->lock);
break;
}
case ION_IOC_SHARE:
next prev parent reply other threads:[~2017-04-28 8:35 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-28 8:32 [PATCH 3.18 00/47] 3.18.51-stable review Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 01/47] KEYS: Disallow keyrings beginning with . to be joined as session keyrings Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 02/47] KEYS: Change the name of the dead type to ".dead" to prevent user access Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 03/47] KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 04/47] tracing: Allocate the snapshot buffer before enabling probe Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 05/47] ring-buffer: Have ring_buffer_iter_empty() return true when empty Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 06/47] cifs: Do not send echoes before Negotiate is complete Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 07/47] CIFS: remove bad_network_name flag Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 08/47] s390/mm: fix CMMA vs KSM vs others Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 09/47] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 10/47] ACPI / power: Avoid maybe-uninitialized warning Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 11/47] mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 12/47] ubi/upd: Always flush after prepared for an update Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 13/47] powerpc/kprobe: Fix oops when kprobed on stdu instruction Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 14/47] x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 15/47] kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 16/47] arm64: avoid returning from bad_mode Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 17/47] clk: at91: usb: fix determine_rate prototype again Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 18/47] gadgetfs: fix uninitialized variable in error handling Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 19/47] dm bufio: hide bogus warning Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 20/47] MIPS: Fix the build on jz4740 after removing the custom gpio.h Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 21/47] perf: Avoid horrible stack usage Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 22/47] fs/nfs: fix new compiler warning about boolean in switch Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 23/47] iommu/vt-d: Remove unused variable Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 24/47] mm/init: fix zone boundary creation Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 25/47] net: ti: cpmac: Fix compiler warning due to type confusion Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 26/47] MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 27/47] nfsd: work around a gcc-5.1 warning Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 29/47] brcmfmac: avoid " Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 30/47] tty: nozomi: avoid a harmless gcc warning Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 31/47] net: vxge: avoid unused function warnings Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 33/47] hostap: avoid uninitialized variable use in hfa384x_get_rid Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 34/47] MIPS: MSP71xx: remove odd locking in PCI config space access code Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 35/47] net: tulip: turn compile-time warning into dev_warn() Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 37/47] gfs2: avoid uninitialized variable warning Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 39/47] ARM: 8296/1: cache-l2x0: clean up aurora cache handling Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 40/47] aic94xx: Skip reading user settings if flash is not found Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 41/47] MIPS: ralink: Cosmetic change to prom_init() Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 42/47] kconfig: tinyconfig: provide whole choice blocks to avoid warnings Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 43/47] ARM: 8383/1: nommu: avoid deprecated source register on mov Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 44/47] [media] xc2028: avoid use after free Greg Kroah-Hartman
2017-04-28 8:32 ` [PATCH 3.18 45/47] vfio/pci: Fix integer overflows, bitmask check Greg Kroah-Hartman
2017-04-28 8:32 ` Greg Kroah-Hartman [this message]
2017-04-28 8:33 ` [PATCH 3.18 47/47] ping: implement proper locking Greg Kroah-Hartman
2017-04-28 18:12 ` [PATCH 3.18 00/47] 3.18.51-stable review Guenter Roeck
2017-04-28 19:19 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170428083040.192923719@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=eun.taik.lee@samsung.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).