Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751588AbdIKMTB (ORCPT <rfc822;w@1wt.eu>);
        Mon, 11 Sep 2017 08:19:01 -0400
Received: from mail-lf0-f47.google.com ([209.85.215.47]:35812 "EHLO
        mail-lf0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751029AbdIKMS7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Sep 2017 08:18:59 -0400
X-Google-Smtp-Source: AOwi7QCxymf2CMSVvJbAjmLmmwmuH1VH+8lBnpp7AL3gpcQA1+c6qj1/sk+8Qt6KJ7l6ITOuOg/J6INQCme46zz1bpk=
MIME-Version: 1.0
In-Reply-To: <20170905172152.36227-1-tkjos@google.com>
References: <20170905172152.36227-1-tkjos@google.com>
From: Amit Pundir <amit.pundir@linaro.org>
Date: Mon, 11 Sep 2017 17:48:17 +0530
Message-ID: <CAMi1Hd2AcD9n6n0T4OdX-2QouTSwPH4vhk4qoGQHJp-fWFtQNw@mail.gmail.com>
Subject: Re: [PATCH] binder: fix memory corruption in binder_transaction binder
To: Todd Kjos <tkjos@android.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= <arve@android.com>,
        devel@driverdev.osuosl.org, lkml <linux-kernel@vger.kernel.org>,
        Martijn Coenen <maco@google.com>, Todd Kjos <tkjos@google.com>,
        xuyiping@hisilicon.com, gengyanping@hisilicon.com,
        shiwanglai@hisilicon.com, John Stultz <john.stultz@linaro.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1484
Lines: 43

On 5 September 2017 at 22:51, Todd Kjos <tkjos@android.com> wrote:
> From: Xu YiPing <xuyiping@hisilicon.com>
>
> commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are
> safe") made a change to enqueue tcomplete to thread->todo before
> enqueuing the transaction. However, in err_dead_proc_or_thread case,
> the tcomplete is directly freed, without dequeued. It may cause the
> thread->todo list to be corrupted.
>
> So, dequeue it before freeing.

I see Android boot loops with this patch on hikey tracking
linux/master branch. 1st boot is fine but hikey runs into an
unexpected short boot loops on 2nd and successive boots.

It takes about 3-4 iterations to finally come to sane state and boot
to UI. I don't see this behaviour if I revert this patch.

Regards,
Amit Pundir

>
> Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
> Signed-off-by: Todd Kjos <tkjos@google.com>
> ---
>  drivers/android/binder.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index d055b3f2a207..96cc28afa383 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -3083,6 +3083,7 @@ static void binder_transaction(struct binder_proc *proc,
>  err_dead_proc_or_thread:
>         return_error = BR_DEAD_REPLY;
>         return_error_line = __LINE__;
> +       binder_dequeue_work(proc, tcomplete);
>  err_translate_failed:
>  err_bad_object_type:
>  err_bad_offset:
> --
> 2.14.1.581.gf28d330327-goog
>