Received: by 10.223.185.116 with SMTP id b49csp4100765wrg;
        Mon, 26 Feb 2018 11:07:36 -0800 (PST)
X-Google-Smtp-Source: AH8x225L7MEOpK8/qeGnstK3vY1u9PhYc2D7trgNZq0VckRSTMkOpt3QfLkA7UmWU0JCtTZQP1fO
X-Received: by 2002:a17:902:6b88:: with SMTP id p8-v6mr11259512plk.261.1519672055999;
        Mon, 26 Feb 2018 11:07:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519672055; cv=none;
        d=google.com; s=arc-20160816;
        b=MgpXAFvlAj7dWweerL2tvWC02INnn2O/9BnKjvIsyryiNhKbfqq7OUYot6su6FBm/2
         DIuejKb2vzGpf1WWptNzbi/JyZ40QCs3kSJposelVCfle0T9vp9HnnnLlAn24Ug4qfgf
         TO9FSYmZs6KQ9jjtbh4PlteEcfSvcT39gWkCYXAbJZi8OYAmIAWrLh8M2w5r05JCs76g
         Z8ACNLA8/239VqlPJ1lSuPL1ZQtk4gfqBxmyksWMQ40AzqCqJscFBW54SOp5IKfWRWSE
         u3JEjHAdSdWQrD0F06JkRAz9qiyJHYVH8VD2YFwQO46w50RJ3Cu/8N32NYdpSVS0HiDW
         qQ3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=SYDQFbMG+igDbGYbT97Rk2e67CJTlGaM5zSeDY9IHcU=;
        b=B59YtM6TW/eGYpmNPZoonvhaoH7qfOKykEcEc+uFZ8NGQ9csXdWkccUEvsTHqm3OPr
         h/4EEfRWJ8lk/TpQH7cl4ls8S46GHjcJ40915MODRjNUkXyvEsFs2zyXhuy2aTBVYG4x
         v6opbY1Y5h79uzCqMAPRikqAGH/Bm2KhIbRlFYS7hPw4mR+mYWdcKzKRM4OnXSVfsyAi
         C4IRTFhz2ilI+8wm8kQhTXdjwd5lxbDTnl/Dw5yuWwr74FgH45gPbftBQ10iMArrNglV
         ggch/2wKVvvXjmBD+IxE4XNQL+HQOy47Iaq6y/tYhnzAK8hsu8qH3SJ5ST6xeroJOxSD
         pT/g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=SVCiQjhn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w9-v6si7052271plp.425.2018.02.26.11.07.19;
        Mon, 26 Feb 2018 11:07:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=SVCiQjhn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751730AbeBZTGD (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Mon, 26 Feb 2018 14:06:03 -0500
Received: from mail-pg0-f65.google.com ([74.125.83.65]:41558 "EHLO
        mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751668AbeBZTGC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Feb 2018 14:06:02 -0500
Received: by mail-pg0-f65.google.com with SMTP id q27so4938568pgn.8;
        Mon, 26 Feb 2018 11:06:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=SYDQFbMG+igDbGYbT97Rk2e67CJTlGaM5zSeDY9IHcU=;
        b=SVCiQjhnxbLNz1n9E2OmPT1v4eIoDQSXwSep3knrMc5Hkp4R5gAEDmR4VgebiXK5zn
         xm+6247tzFgUmKCBkXvX7yzjtQzc4vgVTDzKMd1FUlK2P/dn28n5tj1CGnbN+mS8gouw
         mcskEpauNR98PTdr+FVKt9CZ7OGHQ16+Znd9e1h/IUBZKlfN6mUAA9bzCfOQB1vSHuH3
         sXeFyA8DusQggf2DShX+3cUmkVjRRlG6iEVgMUKCioByr7iVUKvIxTt0yJ//g6iUqw8d
         pp5g3FHaX2EC5xgojXyXMTwFyosCkIB4Iw7jCMzcPIrrjcWkQmuX+9ViT4aNbPSc82X3
         pxwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=SYDQFbMG+igDbGYbT97Rk2e67CJTlGaM5zSeDY9IHcU=;
        b=rS+fQZ1X6lIj4seIhHOtjpmhEy/MjwV0o+BQDvjsEr91lowb1xsen2EPoqMCteOrCE
         zxTAsn4xp+x4iy/d6NWKY6U8Vce/pse9nBJPzoE9Rrpq7i+3G84K9bxOtu6avkawFcOY
         mx/v1qhbCmaxp3Tb+kMQ8cS8fO3BenywHM88WW63tZDvPE6TKXJtS16OLrDVwA9bmdmr
         OmvJNZFRjVxz8vMXYeTR0EGVxnA30qjxSiFoQZChMvkLLSaOU2POO37JFqeqSQaq4+//
         ZGPbk9wgvG2jUB4jQ7F/1OssTYx7AA4aned22tsrs2RowU/ZR6G3vQT9Gr8i7qWN2SbM
         SubA==
X-Gm-Message-State: APf1xPAyldwDT1p9uU66nt7MlhyM1el3FgKSekEig0QFxby4qAb2wcke
        t39WjPAFtdegC3RYMseaN48=
X-Received: by 10.98.73.140 with SMTP id r12mr11539143pfi.229.1519671961645;
        Mon, 26 Feb 2018 11:06:01 -0800 (PST)
Received: from localhost (108-223-40-66.lightspeed.sntcca.sbcglobal.net. [108.223.40.66])
        by smtp.gmail.com with ESMTPSA id g77sm21130897pfk.135.2018.02.26.11.06.00
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 26 Feb 2018 11:06:00 -0800 (PST)
Date:   Mon, 26 Feb 2018 11:05:59 -0800
From:   Guenter Roeck <linux@roeck-us.net>
To:     Eric Biggers <ebiggers3@gmail.com>
Cc:     "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        syzbot <syzkaller@googlegroups.com>,
        Eric Biggers <ebiggers@google.com>
Subject: Re: [4.4, 027/193] binder: check for binder_thread allocation
 failure in binder_poll()
Message-ID: <20180226190559.GA15268@roeck-us.net>
References: <20180223170330.322805082@linuxfoundation.org>
 <20180226172119.GA10044@roeck-us.net>
 <20180226185754.GA177108@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180226185754.GA177108@gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 26, 2018 at 10:57:54AM -0800, Eric Biggers wrote:
> Hi Guenter,
> 
> On Mon, Feb 26, 2018 at 09:21:19AM -0800, Guenter Roeck wrote:
> > On Fri, Feb 23, 2018 at 07:24:20PM +0100, gregkh@linuxfoundation.org wrote:
> > > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > > 
> > > ------------------
> > > 
> > > From: Eric Biggers <ebiggers@google.com>
> > > 
> > > commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.
> > > 
> > > If the kzalloc() in binder_get_thread() fails, binder_poll()
> > > dereferences the resulting NULL pointer.
> > > 
> > > Fix it by returning POLLERR if the memory allocation failed.
> > > 
> > > This bug was found by syzkaller using fault injection.
> > > 
> > > Reported-by: syzbot <syzkaller@googlegroups.com>
> > > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > ---
> > >  drivers/android/binder.c |    2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > --- a/drivers/android/binder.c
> > > +++ b/drivers/android/binder.c
> > > @@ -2622,6 +2622,8 @@ static unsigned int binder_poll(struct f
> > >  	binder_lock(__func__);
> > >  
> > >  	thread = binder_get_thread(proc);
> > > +	if (!thread)
> > > +		return POLLERR;
> > >  
> > Noticed while merging into chromeos-4.4:
> > 
> > This will cause trouble in v4.4.y. Notice the call to "binder_lock(__func__)"
> > above. This call has been removed upstream, but not in v4.4.y. As a result,
> > the lock won't be released, which will result in subsequent hangups
> > if/when the function is called again.
> > 
> > v4.9.y has the same problem. v4.14.y+ are fine.
> > 
> > Greg - can you fix this up yourself or do you want me to send fixup
> > patches ? It might take a few days for me to get to it.
> > 
> > Guenter
> 
> Thanks for spotting this!  I'll send a patch to fix it.
> 
Thanks!

Guenter