Received: by 10.223.185.116 with SMTP id b49csp3993737wrg;
        Mon, 26 Feb 2018 09:22:21 -0800 (PST)
X-Google-Smtp-Source: AH8x226vdDxLcIWOTc1R3y8dB3bRV4yErjMgD88Ee1DjywOw+cw8JUGYy3s4i2o58VAe+ElKfbT2
X-Received: by 2002:a17:902:1746:: with SMTP id i64-v6mr11188446pli.53.1519665740902;
        Mon, 26 Feb 2018 09:22:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519665740; cv=none;
        d=google.com; s=arc-20160816;
        b=rUykVJFWVy3A3w1ozn/tzkosLkb5ewqFqRjPish024dbomHL3zxnNuZ/kKfYfBpqdH
         29M5xyG99va5uVz5wEHKAODG8fT/8K22TJZJuq/MKr9FVmbFBu7tBdwitvYceWJB2oXv
         kDlmyy/uKH6Lwgoui/TNZnph6O7FiW9L+KKigaljPGCBi/pvSfY2KBNoAGZYC+JIOpY0
         1PWj2CqocL4ywkg56psHErj+1XuEtnWSLZDTCQkAxRvrOgkxYu3dOZaGopSJCiQc0qcK
         e/EHUIU05fEFajE3kFRaD8F6qYOSSLnIk9jLNpmvM8IgVMyl/CdBykge42sM81HxZLft
         xEQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=2dLkQItMJaHlar0Pd17dzoJHqrhRw0OXwVZagPdx7Vs=;
        b=WdyqWH17I3QCp1/hEKphi3NP13uB/M0dbsnvUw4e61SEjkTffluK4mIaUxtW6GYM3p
         IehtqWS8m7AX7yFzhrN7ifk4foyFwAEg9j4T7Lw/VeI06pXgQgD224SCbICUg56Jty/P
         1NnMksIKZ/+nMbOhE37xR4fPqMTwaXfiMUXG2swegVj9Vme7M3GFChtSqCG0f4OvpZ5s
         CX35rks/N5XqQb5oDBHIWGMGOboBInidC4n072yR9T2mtIyMyFQ1FEUZezb6jCLUZL4M
         5KMMg1LOGKagwOILvUPVDk0BbWvPFeQ6l4kLa0XQQ+ASlMxEVlQgssG/SpNypklJMBCY
         pX2w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=kKmi0YKa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e10-v6si5510466pls.184.2018.02.26.09.22.04;
        Mon, 26 Feb 2018 09:22:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=kKmi0YKa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751544AbeBZRVZ (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Mon, 26 Feb 2018 12:21:25 -0500
Received: from mail-pf0-f196.google.com ([209.85.192.196]:34517 "EHLO
        mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751269AbeBZRVX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Feb 2018 12:21:23 -0500
Received: by mail-pf0-f196.google.com with SMTP id j20so3343703pfi.1;
        Mon, 26 Feb 2018 09:21:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=2dLkQItMJaHlar0Pd17dzoJHqrhRw0OXwVZagPdx7Vs=;
        b=kKmi0YKaajyhz22JU6PyDTOVqyq+11ZmVk0eE7tnDakjyTRVdmvkjPSNgTzdhN51aS
         dOSK/HU5DsuuRbBpEGsC7NlbbeaHW+vG6BYDsA5SLoe4Xbrut6hCxG6dp/gPPmrbjhIw
         pNvytBIHDCx4xqnihblwoseQ4UUrsNrWSuCcV1kG7qeh3h2QUwak3V237sUjduuVjXVN
         OOmVcJEhlvkUchAYtD+eUEo7UIV+beZdT5wSC2o8AmTccJzdh1gyNOYjOpQnxILAP4/a
         LFfDS+DPMsfClMsdhGPTz04kjMdh00aBTpYtpW3ae++ynsmBhsPG6IESmI1/DxAPEQn4
         o/gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=2dLkQItMJaHlar0Pd17dzoJHqrhRw0OXwVZagPdx7Vs=;
        b=H8V4w1r7L1Q0yFYQGZUK3HPISnjOiBPRW0/Io90BW5HzCFdAz8kYi40lzNJDDWeVP6
         Kp+kY/OAFyQcqzhdD49Wl9vBwdWCDrG1gxBPaPoX0IVrBYWPSCNVujEBql4l7t6aOHap
         vUk9GqANEok6kfIrt+QD/D+q1muHCkpGN8n83a+/DV7si4uGHfCC+DdDPio3diD8RQbC
         C+Y/T/WV5revz/RJKbArv8gSVoJrXHAULl26o4DrgJip8Iwv7MXV93BrJALCWPQjpVAj
         l/ffbVZc3z0ZKVmAjnwOIQPYd31egOJcEN9rbIuA6YL7NgTqa72s8NxQ+lxgsqQA8T4t
         tR/w==
X-Gm-Message-State: APf1xPBy0imJUmvgHZNdriAKMW4U89yCBVZeotoM/MBcnybQwv9LwOZD
        w/qIVJvmjJRM0VtMldOoeY0=
X-Received: by 10.98.16.13 with SMTP id y13mr11307444pfi.188.1519665682620;
        Mon, 26 Feb 2018 09:21:22 -0800 (PST)
Received: from localhost (108-223-40-66.lightspeed.sntcca.sbcglobal.net. [108.223.40.66])
        by smtp.gmail.com with ESMTPSA id u133sm1461284pgc.93.2018.02.26.09.21.20
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 26 Feb 2018 09:21:21 -0800 (PST)
Date:   Mon, 26 Feb 2018 09:21:19 -0800
From:   Guenter Roeck <linux@roeck-us.net>
To:     "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        syzbot <syzkaller@googlegroups.com>,
        Eric Biggers <ebiggers@google.com>
Subject: Re: [4.4, 027/193] binder: check for binder_thread allocation
 failure in binder_poll()
Message-ID: <20180226172119.GA10044@roeck-us.net>
References: <20180223170330.322805082@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180223170330.322805082@linuxfoundation.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 23, 2018 at 07:24:20PM +0100, gregkh@linuxfoundation.org wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Eric Biggers <ebiggers@google.com>
> 
> commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.
> 
> If the kzalloc() in binder_get_thread() fails, binder_poll()
> dereferences the resulting NULL pointer.
> 
> Fix it by returning POLLERR if the memory allocation failed.
> 
> This bug was found by syzkaller using fault injection.
> 
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/android/binder.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2622,6 +2622,8 @@ static unsigned int binder_poll(struct f
>  	binder_lock(__func__);
>  
>  	thread = binder_get_thread(proc);
> +	if (!thread)
> +		return POLLERR;
>  
Noticed while merging into chromeos-4.4:

This will cause trouble in v4.4.y. Notice the call to "binder_lock(__func__)"
above. This call has been removed upstream, but not in v4.4.y. As a result,
the lock won't be released, which will result in subsequent hangups
if/when the function is called again.

v4.9.y has the same problem. v4.14.y+ are fine.

Greg - can you fix this up yourself or do you want me to send fixup
patches ? It might take a few days for me to get to it.

Guenter

>  	wait_for_proc_work = thread->transaction_stack == NULL &&
>  		list_empty(&thread->todo) && thread->return_error == BR_OK;