shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-02 03:03:00 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
3bb5e8bacd0d2bbad0f3bd8019e46bdb0fbb71ef
linux/drivers
History
Greg Hackmann 78819480da staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free 
This patch is 4.9.y only.  Kernels 4.12 and later are unaffected, since
all the underlying ion_handle infrastructure has been ripped out.

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
times while operating on one of the client's ion_handles.  This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:

- thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
- thread A: starts ION_IOC_MAP and increments the refcount to 2
- thread B: ION_IOC_FREE decrements the refcount to 1
- thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
            handle
- thread A: continues ION_IOC_MAP with a dangling ion_handle * to
            freed memory

Fix this by holding client->lock for the duration of
ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE.  Also
remove ion_handle_get_by_id(), since there's literally no way to use it
safely.

Cc: stable@vger.kernel.org # v4.11-
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-05-12 17:15:23 +09:00
..
accessibility
acpi
nfit: fix unchecked dereference in acpi_nfit_ctl
2023-05-12 17:06:56 +09:00
amba
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
2018-05-01 15:13:08 -07:00
amlogic
tee: disable by default
2023-05-12 16:27:16 +09:00
android
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
ata
libahci: Fix possible Spectre-v1 pmp indexing in ahci_led_store()
2023-05-12 17:03:51 +09:00
atm
atm: zatm: Fix potential Spectre v1
2023-05-12 16:28:00 +09:00
auxdisplay
auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
2018-02-13 12:35:55 +01:00
base
x86/speculation/l1tf: Add sysfs reporting for l1tf
2023-05-12 16:53:02 +09:00
bcma
bcma: use (get|put)_device when probing/removing device driver
2017-03-12 06:41:52 +01:00
block
Merge branch 'android-4.9' into amlogic-4.9-dev
2018-08-07 14:43:24 +08:00
bluetooth
Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011
2023-05-12 16:40:31 +09:00
bus
drivers/perf: arm-ccn: don't log to dmesg in event_init
2023-05-12 16:41:49 +09:00
cdrom
cdrom: do not call check_disk_change() inside cdrom_open()
2018-05-30 07:50:47 +02:00
char
tpm: fix race condition in tpm_common_write()
2023-05-12 16:46:31 +09:00
clk
clk: fix 32bit system compatibility issue
2018-08-15 00:30:51 -07:00
clocksource
dts: aarch32: modify timer for aarch32 [1/1]
2018-10-22 19:37:35 -07:00
connector
cpufreq
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
cpuidle
Merge 4.9.111 into android-4.9
2018-07-03 18:27:19 +02:00
crypto
crypto: padlock-aes - Fix Nano workaround data corruption
2023-05-12 16:45:43 +09:00
dax
device-dax: implement ->split() to catch invalid munmap attempts
2018-02-28 10:18:33 +01:00
dca
devfreq
PM / devfreq: Fix potential NULL pointer dereference in governor_store
2018-04-13 19:48:09 +02:00
dio
dma
dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
2023-05-12 17:05:27 +09:00
dma-buf
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
edac
EDAC, altera: Fix ARM64 build warning
2023-05-12 16:42:29 +09:00
eisa
extcon
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
firewire
firewire-ohci: work around oversized DMA reads on JMicron controllers
2018-05-30 07:50:18 +02:00
firmware
Merge 4.9.104 into android-4.9
2018-05-30 13:19:56 +02:00
fmc
fpga
gpio
Merge branch 'android-4.9' into amlogic-4.9-dev
2018-08-07 14:43:24 +08:00
gpu
drm/imx: imx-ldb: check if channel is enabled before printing warning
2023-05-12 17:13:02 +09:00
hardkernel
ODROID-G12: Make hid-multitouch and dwav-usb-mt driver as mouldes.
2022-03-15 09:20:56 +09:00
hid
HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
2023-05-12 17:06:00 +09:00
hsi
HSI: ssi_protocol: double free in ssip_pn_xmit()
2018-03-24 11:00:12 +01:00
hv
Drivers: hv: vmbus: do not mark HV_PCIE as perf_device
2018-04-20 08:20:41 +02:00
hwmon
hwmon: (pmbus/adm1275) Accept negative page register values
2018-05-30 07:50:46 +02:00
hwspinlock
hwtracing
Merge 4.9.107 into android-4.9
2018-06-06 18:34:12 +02:00
i2c
i2c: davinci: Avoid zero value of CLKH
2023-05-12 17:13:34 +09:00
ide
Merge 4.9.104 into android-4.9
2018-05-30 13:19:56 +02:00
idle
idle: i7300: add PCI dependency
2018-02-25 11:05:55 +01:00
iio
iio: pressure: bmp280: fix relative humidity unit
2023-05-12 17:04:50 +09:00
infiniband
RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
2023-05-12 17:06:59 +09:00
input
Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
2023-05-12 16:38:42 +09:00
iommu
iommu/vt-d: Use domain instead of cache fetching
2018-05-30 07:50:20 +02:00
ipack
ipack: print a hex number after a 0x prefix
2016-10-27 18:43:43 -07:00
irqchip
dts: debug: enable ftrace_ramoops for new tm2 dts [1/1]
2019-06-27 16:37:31 +08:00
isdn
isdn: Disable IIOCDBGVAR
2023-05-12 16:57:29 +09:00
leds
DTS: fix the dts configuration error of leds
2018-08-30 20:26:28 -07:00
lguest
lightnvm
macintosh
drivers: macintosh: rack-meter: really fix bogus memsets
2018-05-30 07:50:42 +02:00
mailbox
mailbox: handle empty message in tx_tick
2017-08-06 18:59:42 -07:00
mcb
MCB: add support for SC31 to mcb-lpc
2017-09-09 17:39:41 +02:00
md
md/raid10: fix that replacement cannot complete recovery after reassemble
2023-05-12 17:05:29 +09:00
media
media: si470x: fix __be16 annotations
2023-05-12 16:44:14 +09:00
memory
memory: tegra: Apply interrupts mask per SoC
2023-05-12 16:43:39 +09:00
memstick
memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
2016-10-17 15:43:05 +02:00
message
Merge 4.9.103 into android-4.9
2018-05-25 17:06:35 +02:00
mfd
mfd: cros_ec: Fail early if we cannot identify the EC
2023-05-12 16:40:35 +09:00
misc
mei: don't update offset in write
2023-05-12 17:14:58 +09:00
mmc
mmc: pwrseq: Use kmalloc_array instead of stack VLA
2023-05-12 16:43:29 +09:00
mtd
mtd: nand: qcom: Add a NULL check for devm_kasprintf()
2023-05-12 16:52:27 +09:00
net
drivers: net: lmc: fix case value for target abort error
2023-05-12 17:14:38 +09:00
nfc
NFC: pn533: Fix wrong GFP flag usage
2023-05-12 17:05:02 +09:00
ntb
ntb_transport: Fix bug with max_mw_size parameter
2018-05-30 07:50:22 +02:00
nubus
nvdimm
linvdimm, pmem: Preserve read-only setting for pmem devices
2018-07-03 11:23:13 +02:00
nvme
nvmet: reset keep alive timer in controller enable
2023-05-12 17:04:28 +09:00
nvmem
nvmem: properly handle returned value nvmem_reg_read
2023-05-12 16:42:35 +09:00
of
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
oprofile
parisc
parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode
2018-05-30 07:50:43 +02:00
parport
parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
2018-04-08 12:12:57 +02:00
pci
PCI: pciehp: Fix unprotected list iteration in IRQ handler
2023-05-12 17:08:04 +09:00
pcmcia
pcmcia: fix return value of soc_pcmcia_regulator_set
2016-11-11 08:45:08 -08:00
perf
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
phy
phy: work around 'phys' references to usb-nop-xceiv devices
2018-01-23 19:57:07 +01:00
pinctrl
pinctrl: nsp: Fix potential NULL dereference
2023-05-12 17:07:23 +09:00
platform
Merge 4.9.110 into android-4.9
2018-06-26 09:32:02 +08:00
pnp
power
Merge 4.9.97 into android-4.9
2018-04-30 06:05:25 -07:00
powercap
PowerCap: Fix an error code in powercap_register_zone()
2018-04-13 19:47:56 +02:00
pps
ps3
ptp
ptp: fix missing break in switch
2023-05-12 16:37:13 +09:00
pwm
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
rapidio
drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'
2017-12-14 09:28:22 +01:00
ras
regulator
regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops
2023-05-12 16:42:02 +09:00
remoteproc
remoteproc: qcom: mdt_loader: Don't overwrite firmware object
2017-03-12 06:41:50 +01:00
reset
reset: ti_syscon: fix a ti_syscon_reset_status issue
2017-10-08 10:26:03 +02:00
rpmsg
rpmsg: smd: do not use mananged resources for endpoints and channels
2018-07-03 11:23:13 +02:00
rtc
rtc: ensure rtc_set_alarm fails when alarms are not supported
2023-05-12 16:39:34 +09:00
s390
scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
2018-07-03 11:23:12 +02:00
sbus
scsi
scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
2023-05-12 17:14:48 +09:00
sfi
sh
sn
soc
soc: qcom: wcnss_ctrl: Fix increment in NV upload
2018-05-30 07:50:47 +02:00
spi
ODROID-COMMON: drivers/spi: Revert force64b flag back
2021-02-18 17:47:15 +09:00
spmi
spmi: Include OF based modalias in device uevent
2017-07-27 15:08:08 -07:00
ssb
ssb: Fix error routine when fallback SPROM fails
2017-01-09 08:32:16 +01:00
staging
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
2023-05-12 17:15:23 +09:00
target
tcm_fileio: Prevent information leak for short reads
2018-03-24 11:00:20 +01:00
tc
tee
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
thermal
thermal: exynos: fix setting rising_threshold for Exynos5433
2023-05-12 16:43:14 +09:00
thunderbolt
thunderbolt: Resume control channel after hibernation image is created
2018-04-24 09:34:12 +02:00
tty
serial: 8250_dw: Add ACPI support for uart on Broadcom SoC
2023-05-12 16:57:46 +09:00
uio
uio: fix incorrect memory leak cleanup
2018-04-13 19:47:59 +02:00
usb
usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
2023-05-12 17:13:13 +09:00
uwb
uwb: ensure that endpoint is interrupt
2017-10-12 11:51:19 +02:00
vfio
vfio: platform: Fix reset module leak in error path
2023-05-12 16:39:25 +09:00
vhost
vhost_net: validate sock before trying to put its fd
2023-05-12 16:29:15 +09:00
video
framebuffer: remove lock in fbmem ioctl. [1/1]
2018-11-27 11:12:19 +08:00
virt
mm: replace get_user_pages() write/force parameters with gup_flags
2016-10-19 08:11:43 -07:00
virtio
virtio_balloon: fix another race between migration and ballooning
2023-05-12 16:45:39 +09:00
vlynq
vme
VME: restore bus_remove function causing incomplete module unload
2017-03-12 06:41:50 +01:00
w1
Merge 4.9.111 into android-4.9
2018-07-03 18:27:19 +02:00
watchdog
watchdog: sbsa: use 32-bit read for WCV
2018-05-30 07:50:34 +02:00
xen
xen/scsiback: add error handling for xenbus_printf
2023-05-12 17:04:07 +09:00
zorro
zorro: Set up z->dev.dma_mask for the DMA API
2018-05-30 07:50:44 +02:00
Kconfig
ODROID: sysfs: Add poweroff_trigger sysfs node.
2019-12-11 18:21:09 +09:00
Makefile
ODROID: sysfs: Add poweroff_trigger sysfs node.
2019-12-11 18:21:09 +09:00