This is a note to let you know that I've just added the patch titled
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch
On Fri, Aug 31, 2018 at 01:30:01PM -0700, Greg Hackmann wrote:
> On 08/31/2018 01:27 PM, Greg Hackmann wrote:
> > Change-Id: Ia0542dd8134e81cd5e1412e126545303c766f738
>
> Sorry, please disregard the Change-Id line. This is what I get for
> forgetting to re-run checkpatch after amending my commit
The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
times while operating on one of the client's ion_handles. This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:
On Fri, Aug 31, 2018 at 01:17:20PM -0700, Greg Hackmann wrote:
> On 08/31/2018 01:12 PM, Greg Kroah-Hartman wrote:
> > On Fri, Aug 31, 2018 at 01:06:27PM -0700, Greg Hackmann wrote:
> >> The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
> >> times while operating on one of the
This is a note to let you know that I've just added the patch titled
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch
On Fri, Aug 31, 2018 at 01:06:27PM -0700, Greg Hackmann wrote:
> The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
> times while operating on one of the client's ion_handles. This creates
> windows where userspace can call ION_IOC_FREE on the same client with
> the same
The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
times while operating on one of the client's ion_handles. This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:
