Received: by 10.192.165.148 with SMTP id m20csp4319450imm;
        Tue, 8 May 2018 06:41:20 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZo83VfhIk3SkAhtsFH4oxVVFzk6L6SQ/rE82JvX+0WpjdA5S02qNm00f84eKGQLM+n6BRb/
X-Received: by 2002:a17:902:a718:: with SMTP id w24-v6mr42576181plq.45.1525786880780;
        Tue, 08 May 2018 06:41:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525786880; cv=none;
        d=google.com; s=arc-20160816;
        b=U9UyEHY4FiAaaczkhlP5avilmAtiplHVcGs0vFWwS036DsoruWcNOOlXujFaCBwf9b
         q4ztDnBI+2NqY+XBt9HsMHIovQBv/vXJSAy1xwGFBDqLLN5NyXwuht2ArCvzPOJ1eLL9
         h+dGJ9zbw1ZzP2M/fevEcHtx6G638SDrg2fQ8HcjjONTzPQIAnZ3VTXyBe5TL5nJpKY1
         Ic0x2h8GW6Rnm0+3WxMr7mScks1Qp8kr+5D9AubmgmbZPyk5olkr2afdqn6RC0woEI1T
         Z3jT5Bl0s/K1wUSeD3Z57J2z5UarCS1CaPaom9Qn6vccn3EKA/iYVzDUuoZch1QueuFp
         htQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=b4197C2H9nfy4JTZKtOO5vbm3n1kxK6G3+jq7h8mRNI=;
        b=C8vw/ozNSlLLwlCPIPvTWg+SmxJcyR+Yqe43VjxSxhuiyoelVm9ocP9tQ34QaRZH9N
         CPCCq+ptxZEUtJF7md7BDHASE93uAqonxgKh/eW9FM1GWEPAM98Vxv4gFxhbN0iKbDkt
         mBfd3/u3rPB26iF420rORTW3nzKr8abfluJsW3XgcE9r/UxvAycSEPaUb7uYLiUR7SK9
         Np0SxNfFUAbhFBmcPXWFjGc9iyaTVgVttA9zLbXth/ygbZRjgLX5Tc4z5b+QpixrHviK
         EfPKgz59nYSofrHVG0w5haOAQrk+LuORAVCLIgD9gQXz8PG0YdE4vk9IE0pxKSnNtmYv
         WFGw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=VulWaoUM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o6-v6si19838448pgs.51.2018.05.08.06.41.06;
        Tue, 08 May 2018 06:41:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=VulWaoUM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755281AbeEHNjD (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Tue, 8 May 2018 09:39:03 -0400
Received: from mail-io0-f196.google.com ([209.85.223.196]:40398 "EHLO
        mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754892AbeEHNi7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 May 2018 09:38:59 -0400
Received: by mail-io0-f196.google.com with SMTP id g14-v6so34715156ioc.7
        for <linux-kernel@vger.kernel.org>; Tue, 08 May 2018 06:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=b4197C2H9nfy4JTZKtOO5vbm3n1kxK6G3+jq7h8mRNI=;
        b=VulWaoUMQfdOvczRlrUq1X91nJ9w6ilmsAeUkQWG6F5Xrr8S/i8UE+Q+v0JAK28921
         ULYw3TCt2ihuPab6BgUj7gco5qpKfP4Lnz7UFw84sZVkscDJCHnIqqRbYoJ3MHhoF0+8
         02B4m/+NyqG84fWyRxdsph1kfcLUD4adsgY5kOk2ig4+zCbRz45qeAyJcjwU7mzXo2Xx
         IcCXVKJ69q4MPXNj4EpKuOxcuz6VJtXXWejFGU8K4AMxiQje+JGTfDZAkVZGjqu9lLus
         V68mlkxUGspMC2TO7RXCkaj0JsCNHjw/10UGPKZcjkNK3PdAq3UTmX6VQ6vF+2CEK2DC
         Hsng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=b4197C2H9nfy4JTZKtOO5vbm3n1kxK6G3+jq7h8mRNI=;
        b=oqRdKoXE+RxRqPLFLSgvlTVvmWjSVRSgaTuzOSIQgCncjnORr+BPf8eGT/BhqNA06e
         d4OJJ1sEd+8rGuAzX12WotkrLXfFjMsUZa7ItUINk4rCpbU8vFQ608qTbShzViTJ6Ili
         Q1vGsTGxaXSHJGQobRlZReOui9M2xDvzRkSgspv8Y20fLYRPXwCzGvwAQk9jYdN0VqD+
         EyPxd1cCDkn1dKbI6rKaJ16JY35gM3FN/DENm9RMjVdTxar8gBf8cNBTZBQRPs4elVM0
         ulmJVykOukvarr2fYKqLE1dFwDAEANUsf7yvEU+s1UQJiC4AQ3JzGGx43CxBzg0qExFN
         89Ww==
X-Gm-Message-State: ALQs6tC0W+zEFihk3GcrUrjSFOUMXYVK3g6VWyKLxK/DRN9MYGxR5wEk
        rw0FDumpsug+/BllX3iFsrkzmWkp8hehKM18251mLzHA
X-Received: by 2002:a6b:9204:: with SMTP id u4-v6mr30040502iod.71.1525786738771;
 Tue, 08 May 2018 06:38:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:60c5:0:0:0:0:0 with HTTP; Tue, 8 May 2018 06:38:58 -0700 (PDT)
In-Reply-To: <20180508090639.14275-1-baijiaju1990@gmail.com>
References: <20180508090639.14275-1-baijiaju1990@gmail.com>
From:   Martijn Coenen <maco@android.com>
Date:   Tue, 8 May 2018 06:38:58 -0700
Message-ID: <CAB0TPYHVNhNoHTSuDR2Ew8iOeMo9SaKfoY2bF6WF7C5ADCyU+Q@mail.gmail.com>
Subject: Re: [PATCH] android: binder: Fix a possible data race in binder_alloc_mmap_handler
To:     Jia-Ju Bai <baijiaju1990@gmail.com>
Cc:     Greg KH <gregkh@linuxfoundation.org>,
        =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= <arve@android.com>,
        Todd Kjos <tkjos@android.com>,
        "open list:ANDROID DRIVERS" <devel@driverdev.osuosl.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 8, 2018 at 2:06 AM, Jia-Ju Bai <baijiaju1990@gmail.com> wrote:
> The write operations to "alloc->buffer" are protected by
> the lock on line 679 and 730, but the read operation to
> this data on line 712 is not protected by the lock.
> Thus, there may exist a data race for "alloc->buffer".

It's read by the same thread that just wrote it, there is no data race.

The locks at line 679 and 730 protect against multiple threads calling
mmap() at the same time.

>
> To fix this data race, the read operation to "alloc->buffer"
> should be also protected by the lock.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  drivers/android/binder_alloc.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
> index 5a426c877dfb..596acc3a84e4 100644
> --- a/drivers/android/binder_alloc.c
> +++ b/drivers/android/binder_alloc.c
> @@ -709,7 +709,9 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
>                 goto err_alloc_buf_struct_failed;
>         }
>
> +       mutex_lock(&binder_alloc_mmap_lock);
>         buffer->data = alloc->buffer;
> +       mutex_unlock(&binder_alloc_mmap_lock);
>         list_add(&buffer->entry, &alloc->buffers);
>         buffer->free = 1;
>         binder_insert_free_buffer(alloc, buffer);
> --
> 2.17.0
>