No kernel security patches for ASB-2018-11, however there
were some from previous ASBs that are now upstream and in
android common kernels

CVE-2018-9363 from ASB-2018-06
CVE-2017-0749 from ASB-2017-08
CVE-2017-0627 from ASB-2017-05
CVE-2017-0564 from ASB-2017-04
CVE-2017-13293 from ASB-2018-04
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free

commit 2c155709e4ef2d86d0176aac82e44c048a7e0255 upstream.

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
times while operating on one of the client's ion_handles.  This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:

- thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
- thread A: starts ION_IOC_MAP and increments the refcount to 2
- thread B: ION_IOC_FREE decrements the refcount to 1
- thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
- thread A: continues ION_IOC_MAP with a dangling ion_handle * to
            freed memory

Fix this by holding client->lock for the duration of
ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE.  Also
remove ion_handle_get_by_id(), since there's literally no way to use it

This patch is applied on top of 4.4.y, and applies to older kernels
too.  4.9.y was fixed separately.  Kernels 4.12 and later are
unaffected, since all the underlying ion_handle infrastructure has been
ripped out.

Cc: # v4.4-
Signed-off-by: Greg Hackmann <>
Acked-by: Laura Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Greg Kroah-Hartman <>

1 file changed