evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
EunTaik Lee a7544fdd16 staging/android/ion : fix a race condition in the ion driver 
commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 upstream.

There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.

A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.

cpu 0                                   cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
                            ion_handle_get_by_id()
                            (ref == 3)

ion_free()
(ref == 2)

ion_handle_put()
(ref == 1)

                            ion_free()
                            (ref == 0 so ion_handle_destroy() is
                            called
                            and the handle is freed.)

                            ion_handle_put() is called and it
                            decreases the slub's next free pointer

The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
 instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.

This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.

To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.

Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

index 7ff2a7ec871f..33b390e7ea31
2017-04-30 05:49:29 +02:00
..
accessibility
acpi ACPI / power: Avoid maybe-uninitialized warning 2017-04-27 09:09:33 +02:00
amba
android ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct 2016-11-10 16:36:33 +01:00
ata libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices 2017-02-09 08:02:45 +01:00
atm
auxdisplay
base base/memory, hotplug: fix a kernel oops in show_valid_zones() 2017-02-09 08:02:47 +01:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block zram: do not use copy_page with non-page aligned address 2017-04-21 09:30:06 +02:00
bluetooth Bluetooth: Add another AR3012 04ca:3018 device 2017-03-15 09:57:11 +08:00
bus bus: vexpress-config: fix device reference leak 2017-01-19 20:17:22 +01:00
cdrom
char virtio-console: avoid DMA from stack 2017-04-21 09:30:07 +02:00
clk clk: imx31: fix rewritten input argument of mx31_clocks_init() 2017-01-12 11:22:49 +01:00
clocksource clocksource/exynos_mct: Clear interrupt when cpu is shut down 2017-01-26 08:23:48 +01:00
connector
cpufreq cpufreq: Restore policy min/max limits on CPU online 2017-03-30 09:35:18 +02:00
cpuidle ARM: cpuidle: Fix error return code 2016-10-16 17:36:15 +02:00
crypto crypto: caam - fix RNG deinstantiation error checking 2017-04-18 07:14:36 +02:00
dca
devfreq
dio
dma dmaengine: ipu: Make sure the interrupt routine checks all interrupts. 2017-03-12 06:37:30 +01:00
dma-buf
edac EDAC: Increment correct counter in edac_inc_ue_error() 2016-09-07 08:32:41 +02:00
eisa
extcon
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-10 16:36:35 +01:00
firmware
fmc
fpga
gpio gpio: mpc8xxx: Correct irq handler function 2016-10-28 03:01:25 -04:00
gpu drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one 2017-04-21 09:30:04 +02:00
hid HID: wacom: Fix poor prox handling in 'wacom_pl_irq' 2017-02-09 08:02:46 +01:00
hsi
hv hv: don't reset hv_context.tsc_page on crash 2017-04-27 09:09:34 +02:00
hwmon hwmon: (g762) Fix overflows and crash seen when writing limit attributes 2017-01-12 11:22:48 +01:00
hwspinlock
hwtracing intel_th: Fix a deadlock in modprobing 2016-08-10 11:49:30 +02:00
i2c i2c: fix kernel memory disclosure in dev interface 2017-01-19 20:17:20 +01:00
ide
idle intel_idle: Support for Intel Xeon Phi Processor x200 Product Family 2016-09-15 08:27:46 +02:00
iio iio: bmg160: reset chip when probing 2017-04-12 12:38:33 +02:00
infiniband IB/srp: Fix race conditions related to task management 2017-03-15 09:57:13 +08:00
input Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled 2017-04-27 09:09:32 +02:00
iommu iommu/vt-d: Fix NULL pointer dereference in device_to_iommu 2017-03-30 09:35:18 +02:00
ipack
irqchip irqchip/irq-imx-gpcv2: Fix spinlock initialization 2017-04-21 09:30:06 +02:00
isdn isdn/gigaset: fix NULL-deref at probe 2017-03-26 12:13:19 +02:00
leds
lguest
lightnvm lightnvm: put bio before return 2016-09-24 10:07:35 +02:00
macintosh
mailbox
mcb
md blk: Ensure users for current->bio_list can see the full list. 2017-04-08 09:53:32 +02:00
media xc2028: avoid use after free 2017-04-30 05:49:28 +02:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-07-27 09:47:35 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-28 03:01:35 -04:00
message
mfd mfd: core: Fix device reference leak in mfd_clone_cell 2016-11-26 09:54:53 +01:00
misc mei: bus: fix mei_cldev_enable KDoc 2017-01-12 11:22:47 +01:00
mmc mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card 2017-04-27 09:09:33 +02:00
mtd ubi/upd: Always flush after prepared for an update 2017-04-27 09:09:33 +02:00
net hostap: avoid uninitialized variable use in hfa384x_get_rid 2017-04-30 05:49:28 +02:00
nfc mei: bus: fix received data size check in NFC fixup 2016-11-18 10:48:36 +01:00
ntb ntb_transport: Pick an unused queue 2017-02-23 17:43:10 +01:00
nubus
nvdimm libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat 2017-04-21 09:30:06 +02:00
nvme nvme: Call pci_disable_device on the error path. 2016-09-15 08:27:51 +02:00
nvmem
of of: silence warnings due to max() usage 2016-11-15 07:46:39 +01:00
oprofile
parisc
parport parport: fix attempt to write duplicate procfiles 2017-03-30 09:35:17 +02:00
pci PCI: Do any VF BAR updates before enabling the BARs 2017-03-30 09:35:20 +02:00
pcmcia
perf drivers/perf: arm_pmu: Fix leak in error path 2016-10-07 15:23:41 +02:00
phy
pinctrl pinctrl: qcom: Don't clear status bit on irq_unmask 2017-03-31 09:49:53 +02:00
platform platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event 2017-04-21 09:30:07 +02:00
pnp PNP: Add Broadwell to Intel MCH size workaround 2016-08-16 09:30:48 +02:00
power power: reset: at91-poweroff: timely shutdown LPDDR memories 2017-04-08 09:53:32 +02:00
powercap
pps pps: do not crash when failed to register 2016-08-10 11:49:25 +02:00
ps3
ptp
pwm pwm: pca9685: Fix period change with same duty cycle 2017-03-15 09:57:14 +08:00
rapidio
ras
regulator regulator: Fix regulator_summary for deviceless consumers 2017-03-12 06:37:25 +01:00
remoteproc remoteproc: Fix potential race condition in rproc_add 2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc rtc: tegra: Implement clock handling 2017-04-21 09:30:07 +02:00
s390 s390/zcrypt: Introduce CEX6 toleration 2017-03-30 09:35:20 +02:00
sbus
scsi scsi: sd: Fix capacity calculation with 32-bit sector_t 2017-04-21 09:30:05 +02:00
sfi
sh
sn
soc soc: qcom/spm: shut up uninitialized variable warning 2016-09-24 10:07:42 +02:00
spi spi: mvebu: fix baudrate calculation for armada variant 2017-01-15 13:41:36 +01:00
spmi
ssb ssb: Fix error routine when fallback SPROM fails 2017-01-09 08:07:42 +01:00
staging staging/android/ion : fix a race condition in the ion driver 2017-04-30 05:49:29 +02:00
target iscsi-target: Drop work-around for legacy GlobalSAN initiator 2017-04-21 09:30:05 +02:00
tc
thermal thermal: hwmon: Properly report critical temperature in sysfs 2017-01-09 08:07:44 +01:00
thunderbolt
tty tty: nozomi: avoid a harmless gcc warning 2017-04-30 05:49:27 +02:00
uio uio: fix dmem_region_start computation 2016-10-31 04:13:59 -06:00
usb usb: hub: Wait for connection to be reestablished after port reset 2017-04-18 07:14:37 +02:00
uwb uwb: hwa-rc: fix NULL-deref at probe 2017-03-30 09:35:17 +02:00
vfio vfio/pci: Fix integer overflows, bitmask check 2017-04-30 05:49:29 +02:00
vhost vhost/scsi: fix reuse of &vq->iov[out] in response 2016-09-15 08:27:53 +02:00
video xen, fbfront: fix connecting to backend 2017-04-21 09:30:06 +02:00
virt
virtio virtio_balloon: init 1st buffer in stats vq 2017-03-31 09:49:53 +02:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 w1: ds2490: USB transfer buffers need to be DMAable 2017-03-12 06:37:29 +01:00
watchdog
xen xen/acpi: upload PM state from init-domain to Xen 2017-03-30 09:35:18 +02:00
zorro
Kconfig
Makefile