Received: by 10.223.185.116 with SMTP id b49csp4100765wrg; Mon, 26 Feb 2018 11:07:36 -0800 (PST) X-Google-Smtp-Source: AH8x225L7MEOpK8/qeGnstK3vY1u9PhYc2D7trgNZq0VckRSTMkOpt3QfLkA7UmWU0JCtTZQP1fO X-Received: by 2002:a17:902:6b88:: with SMTP id p8-v6mr11259512plk.261.1519672055999; Mon, 26 Feb 2018 11:07:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519672055; cv=none; d=google.com; s=arc-20160816; b=MgpXAFvlAj7dWweerL2tvWC02INnn2O/9BnKjvIsyryiNhKbfqq7OUYot6su6FBm/2 DIuejKb2vzGpf1WWptNzbi/JyZ40QCs3kSJposelVCfle0T9vp9HnnnLlAn24Ug4qfgf TO9FSYmZs6KQ9jjtbh4PlteEcfSvcT39gWkCYXAbJZi8OYAmIAWrLh8M2w5r05JCs76g Z8ACNLA8/239VqlPJ1lSuPL1ZQtk4gfqBxmyksWMQ40AzqCqJscFBW54SOp5IKfWRWSE u3JEjHAdSdWQrD0F06JkRAz9qiyJHYVH8VD2YFwQO46w50RJ3Cu/8N32NYdpSVS0HiDW qQ3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=SYDQFbMG+igDbGYbT97Rk2e67CJTlGaM5zSeDY9IHcU=; b=B59YtM6TW/eGYpmNPZoonvhaoH7qfOKykEcEc+uFZ8NGQ9csXdWkccUEvsTHqm3OPr h/4EEfRWJ8lk/TpQH7cl4ls8S46GHjcJ40915MODRjNUkXyvEsFs2zyXhuy2aTBVYG4x v6opbY1Y5h79uzCqMAPRikqAGH/Bm2KhIbRlFYS7hPw4mR+mYWdcKzKRM4OnXSVfsyAi C4IRTFhz2ilI+8wm8kQhTXdjwd5lxbDTnl/Dw5yuWwr74FgH45gPbftBQ10iMArrNglV ggch/2wKVvvXjmBD+IxE4XNQL+HQOy47Iaq6y/tYhnzAK8hsu8qH3SJ5ST6xeroJOxSD pT/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=SVCiQjhn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w9-v6si7052271plp.425.2018.02.26.11.07.19; Mon, 26 Feb 2018 11:07:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=SVCiQjhn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751730AbeBZTGD (ORCPT + 99 others); Mon, 26 Feb 2018 14:06:03 -0500 Received: from mail-pg0-f65.google.com ([74.125.83.65]:41558 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751668AbeBZTGC (ORCPT ); Mon, 26 Feb 2018 14:06:02 -0500 Received: by mail-pg0-f65.google.com with SMTP id q27so4938568pgn.8; Mon, 26 Feb 2018 11:06:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=SYDQFbMG+igDbGYbT97Rk2e67CJTlGaM5zSeDY9IHcU=; b=SVCiQjhnxbLNz1n9E2OmPT1v4eIoDQSXwSep3knrMc5Hkp4R5gAEDmR4VgebiXK5zn xm+6247tzFgUmKCBkXvX7yzjtQzc4vgVTDzKMd1FUlK2P/dn28n5tj1CGnbN+mS8gouw mcskEpauNR98PTdr+FVKt9CZ7OGHQ16+Znd9e1h/IUBZKlfN6mUAA9bzCfOQB1vSHuH3 sXeFyA8DusQggf2DShX+3cUmkVjRRlG6iEVgMUKCioByr7iVUKvIxTt0yJ//g6iUqw8d pp5g3FHaX2EC5xgojXyXMTwFyosCkIB4Iw7jCMzcPIrrjcWkQmuX+9ViT4aNbPSc82X3 pxwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=SYDQFbMG+igDbGYbT97Rk2e67CJTlGaM5zSeDY9IHcU=; b=rS+fQZ1X6lIj4seIhHOtjpmhEy/MjwV0o+BQDvjsEr91lowb1xsen2EPoqMCteOrCE zxTAsn4xp+x4iy/d6NWKY6U8Vce/pse9nBJPzoE9Rrpq7i+3G84K9bxOtu6avkawFcOY mx/v1qhbCmaxp3Tb+kMQ8cS8fO3BenywHM88WW63tZDvPE6TKXJtS16OLrDVwA9bmdmr OmvJNZFRjVxz8vMXYeTR0EGVxnA30qjxSiFoQZChMvkLLSaOU2POO37JFqeqSQaq4+// ZGPbk9wgvG2jUB4jQ7F/1OssTYx7AA4aned22tsrs2RowU/ZR6G3vQT9Gr8i7qWN2SbM SubA== X-Gm-Message-State: APf1xPAyldwDT1p9uU66nt7MlhyM1el3FgKSekEig0QFxby4qAb2wcke t39WjPAFtdegC3RYMseaN48= X-Received: by 10.98.73.140 with SMTP id r12mr11539143pfi.229.1519671961645; Mon, 26 Feb 2018 11:06:01 -0800 (PST) Received: from localhost (108-223-40-66.lightspeed.sntcca.sbcglobal.net. [108.223.40.66]) by smtp.gmail.com with ESMTPSA id g77sm21130897pfk.135.2018.02.26.11.06.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2018 11:06:00 -0800 (PST) Date: Mon, 26 Feb 2018 11:05:59 -0800 From: Guenter Roeck To: Eric Biggers Cc: "gregkh@linuxfoundation.org" , linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot , Eric Biggers Subject: Re: [4.4, 027/193] binder: check for binder_thread allocation failure in binder_poll() Message-ID: <20180226190559.GA15268@roeck-us.net> References: <20180223170330.322805082@linuxfoundation.org> <20180226172119.GA10044@roeck-us.net> <20180226185754.GA177108@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180226185754.GA177108@gmail.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 26, 2018 at 10:57:54AM -0800, Eric Biggers wrote: > Hi Guenter, > > On Mon, Feb 26, 2018 at 09:21:19AM -0800, Guenter Roeck wrote: > > On Fri, Feb 23, 2018 at 07:24:20PM +0100, gregkh@linuxfoundation.org wrote: > > > 4.4-stable review patch. If anyone has any objections, please let me know. > > > > > > ------------------ > > > > > > From: Eric Biggers > > > > > > commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. > > > > > > If the kzalloc() in binder_get_thread() fails, binder_poll() > > > dereferences the resulting NULL pointer. > > > > > > Fix it by returning POLLERR if the memory allocation failed. > > > > > > This bug was found by syzkaller using fault injection. > > > > > > Reported-by: syzbot > > > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Eric Biggers > > > Signed-off-by: Greg Kroah-Hartman > > > --- > > > drivers/android/binder.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > --- a/drivers/android/binder.c > > > +++ b/drivers/android/binder.c > > > @@ -2622,6 +2622,8 @@ static unsigned int binder_poll(struct f > > > binder_lock(__func__); > > > > > > thread = binder_get_thread(proc); > > > + if (!thread) > > > + return POLLERR; > > > > > Noticed while merging into chromeos-4.4: > > > > This will cause trouble in v4.4.y. Notice the call to "binder_lock(__func__)" > > above. This call has been removed upstream, but not in v4.4.y. As a result, > > the lock won't be released, which will result in subsequent hangups > > if/when the function is called again. > > > > v4.9.y has the same problem. v4.14.y+ are fine. > > > > Greg - can you fix this up yourself or do you want me to send fixup > > patches ? It might take a few days for me to get to it. > > > > Guenter > > Thanks for spotting this! I'll send a patch to fix it. > Thanks! Guenter