Received: by 10.223.185.116 with SMTP id b49csp3993737wrg; Mon, 26 Feb 2018 09:22:21 -0800 (PST) X-Google-Smtp-Source: AH8x226vdDxLcIWOTc1R3y8dB3bRV4yErjMgD88Ee1DjywOw+cw8JUGYy3s4i2o58VAe+ElKfbT2 X-Received: by 2002:a17:902:1746:: with SMTP id i64-v6mr11188446pli.53.1519665740902; Mon, 26 Feb 2018 09:22:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519665740; cv=none; d=google.com; s=arc-20160816; b=rUykVJFWVy3A3w1ozn/tzkosLkb5ewqFqRjPish024dbomHL3zxnNuZ/kKfYfBpqdH 29M5xyG99va5uVz5wEHKAODG8fT/8K22TJZJuq/MKr9FVmbFBu7tBdwitvYceWJB2oXv kDlmyy/uKH6Lwgoui/TNZnph6O7FiW9L+KKigaljPGCBi/pvSfY2KBNoAGZYC+JIOpY0 1PWj2CqocL4ywkg56psHErj+1XuEtnWSLZDTCQkAxRvrOgkxYu3dOZaGopSJCiQc0qcK e/EHUIU05fEFajE3kFRaD8F6qYOSSLnIk9jLNpmvM8IgVMyl/CdBykge42sM81HxZLft xEQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=2dLkQItMJaHlar0Pd17dzoJHqrhRw0OXwVZagPdx7Vs=; b=WdyqWH17I3QCp1/hEKphi3NP13uB/M0dbsnvUw4e61SEjkTffluK4mIaUxtW6GYM3p IehtqWS8m7AX7yFzhrN7ifk4foyFwAEg9j4T7Lw/VeI06pXgQgD224SCbICUg56Jty/P 1NnMksIKZ/+nMbOhE37xR4fPqMTwaXfiMUXG2swegVj9Vme7M3GFChtSqCG0f4OvpZ5s CX35rks/N5XqQb5oDBHIWGMGOboBInidC4n072yR9T2mtIyMyFQ1FEUZezb6jCLUZL4M 5KMMg1LOGKagwOILvUPVDk0BbWvPFeQ6l4kLa0XQQ+ASlMxEVlQgssG/SpNypklJMBCY pX2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=kKmi0YKa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e10-v6si5510466pls.184.2018.02.26.09.22.04; Mon, 26 Feb 2018 09:22:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=kKmi0YKa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751544AbeBZRVZ (ORCPT + 99 others); Mon, 26 Feb 2018 12:21:25 -0500 Received: from mail-pf0-f196.google.com ([209.85.192.196]:34517 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751269AbeBZRVX (ORCPT ); Mon, 26 Feb 2018 12:21:23 -0500 Received: by mail-pf0-f196.google.com with SMTP id j20so3343703pfi.1; Mon, 26 Feb 2018 09:21:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=2dLkQItMJaHlar0Pd17dzoJHqrhRw0OXwVZagPdx7Vs=; b=kKmi0YKaajyhz22JU6PyDTOVqyq+11ZmVk0eE7tnDakjyTRVdmvkjPSNgTzdhN51aS dOSK/HU5DsuuRbBpEGsC7NlbbeaHW+vG6BYDsA5SLoe4Xbrut6hCxG6dp/gPPmrbjhIw pNvytBIHDCx4xqnihblwoseQ4UUrsNrWSuCcV1kG7qeh3h2QUwak3V237sUjduuVjXVN OOmVcJEhlvkUchAYtD+eUEo7UIV+beZdT5wSC2o8AmTccJzdh1gyNOYjOpQnxILAP4/a LFfDS+DPMsfClMsdhGPTz04kjMdh00aBTpYtpW3ae++ynsmBhsPG6IESmI1/DxAPEQn4 o/gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=2dLkQItMJaHlar0Pd17dzoJHqrhRw0OXwVZagPdx7Vs=; b=H8V4w1r7L1Q0yFYQGZUK3HPISnjOiBPRW0/Io90BW5HzCFdAz8kYi40lzNJDDWeVP6 Kp+kY/OAFyQcqzhdD49Wl9vBwdWCDrG1gxBPaPoX0IVrBYWPSCNVujEBql4l7t6aOHap vUk9GqANEok6kfIrt+QD/D+q1muHCkpGN8n83a+/DV7si4uGHfCC+DdDPio3diD8RQbC C+Y/T/WV5revz/RJKbArv8gSVoJrXHAULl26o4DrgJip8Iwv7MXV93BrJALCWPQjpVAj l/ffbVZc3z0ZKVmAjnwOIQPYd31egOJcEN9rbIuA6YL7NgTqa72s8NxQ+lxgsqQA8T4t tR/w== X-Gm-Message-State: APf1xPBy0imJUmvgHZNdriAKMW4U89yCBVZeotoM/MBcnybQwv9LwOZD w/qIVJvmjJRM0VtMldOoeY0= X-Received: by 10.98.16.13 with SMTP id y13mr11307444pfi.188.1519665682620; Mon, 26 Feb 2018 09:21:22 -0800 (PST) Received: from localhost (108-223-40-66.lightspeed.sntcca.sbcglobal.net. [108.223.40.66]) by smtp.gmail.com with ESMTPSA id u133sm1461284pgc.93.2018.02.26.09.21.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2018 09:21:21 -0800 (PST) Date: Mon, 26 Feb 2018 09:21:19 -0800 From: Guenter Roeck To: "gregkh@linuxfoundation.org" Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot , Eric Biggers Subject: Re: [4.4, 027/193] binder: check for binder_thread allocation failure in binder_poll() Message-ID: <20180226172119.GA10044@roeck-us.net> References: <20180223170330.322805082@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180223170330.322805082@linuxfoundation.org> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 23, 2018 at 07:24:20PM +0100, gregkh@linuxfoundation.org wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Eric Biggers > > commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. > > If the kzalloc() in binder_get_thread() fails, binder_poll() > dereferences the resulting NULL pointer. > > Fix it by returning POLLERR if the memory allocation failed. > > This bug was found by syzkaller using fault injection. > > Reported-by: syzbot > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers > Signed-off-by: Greg Kroah-Hartman > --- > drivers/android/binder.c | 2 ++ > 1 file changed, 2 insertions(+) > > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -2622,6 +2622,8 @@ static unsigned int binder_poll(struct f > binder_lock(__func__); > > thread = binder_get_thread(proc); > + if (!thread) > + return POLLERR; > Noticed while merging into chromeos-4.4: This will cause trouble in v4.4.y. Notice the call to "binder_lock(__func__)" above. This call has been removed upstream, but not in v4.4.y. As a result, the lock won't be released, which will result in subsequent hangups if/when the function is called again. v4.9.y has the same problem. v4.14.y+ are fine. Greg - can you fix this up yourself or do you want me to send fixup patches ? It might take a few days for me to get to it. Guenter > wait_for_proc_work = thread->transaction_stack == NULL && > list_empty(&thread->todo) && thread->return_error == BR_OK;