Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4065470ybp; Mon, 7 Oct 2019 02:37:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqzW4EFkjkJbssiPo4uEbi1V24b4vLYqY0MWwq+6RtwQnwW26DXL/2T6bVd1VjHyDB6possM X-Received: by 2002:a50:87ca:: with SMTP id 10mr28102979edz.77.1570441038320; Mon, 07 Oct 2019 02:37:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570441038; cv=none; d=google.com; s=arc-20160816; b=UmnlfATW6kuIeWkmVJ7zK/3/kv9qynYt5tM3QXSdyXoraTsYRJtXwEfb6W1fLZQprV E/n+FNLsyrN8dpTbrnD0+LLxDVmOzZuhVg4zfO8bREMp6le1TZ4uVcyM6DEso1OWm3Z2 FFRWtq/pcp9TdRlNN2TMlyy+gNoFgnxvv4VgxB0H2kcaiHGhcdM+N/ErCR1GRBcJWxTX Wl85HaKvLyRNmrt2REtf82UijZcJGA9ByAgvh38ZXxwJo+3e6QdYE5zkBiZjL7gc4lwY 5XecKdfFhlKJQL1cEuox27YSSfRXa/7W3XCNlXoWR+4OENO/LkQfrBR+/JQ23JyMDgTv oIng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=pW/v9rAZUFz/EoQTWrEX0OSxD6rEJBtSsejlmsLkopw=; b=0TTdUAMIIFuJCCY3V4PSH5OLe4evYIL3FUIY5iSlB+nBuryDwr7nPLVFPLb9ysAHJ2 DtBnb1EuEON7rADxR0j2qNV8A9OObc+dsymyhKaHamULE0/pR1IJ2XZCQ5O0KS1D0nM1 lC9MsghwQkZftuOM5oGleDdZHEpkuh/H7ariAGdLOQJvvBUTZtKVqwjuliCConZ6P6rw rQSGKJ1HFzoWQt4y7SzhzX3DDk8X5+tquaJ0PeTOIl+8MwgpwRGtEqiyymJZUbtLaCef nTHO4U+HW0G2O8PSbL1iX1EvxuEE9Y58P9v4yNWi9Sl1GsmM6RThddDojmE2iK5QVq/p 6qtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=PmV+hGbV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t18si6789005ejr.205.2019.10.07.02.36.54; Mon, 07 Oct 2019 02:37:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=PmV+hGbV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727576AbfJGJeG (ORCPT + 99 others); Mon, 7 Oct 2019 05:34:06 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:44589 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727383AbfJGJeG (ORCPT ); Mon, 7 Oct 2019 05:34:06 -0400 Received: by mail-lf1-f68.google.com with SMTP id q12so3796893lfc.11 for ; Mon, 07 Oct 2019 02:34:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pW/v9rAZUFz/EoQTWrEX0OSxD6rEJBtSsejlmsLkopw=; b=PmV+hGbVTsXwOx8ggwlU7N7+Z/R0TZ8g/q9zQs7etcACngKWx7QjRF/8Se581PyHZo u3fYJ1mAIOm7+YB2mk5oZtKwfXOzhWYHNQUKWRoa97aoIfbHRSJ4JxWzPsYymBurA3Mi Oey+WAMkyy36ll1cVpLCpGcSQZH9vSct27qk350b9oa3xb4SAw8nI0aGFKQbv4dAnZaU 2dg4S56+G5bSvHXcin4rivmXG1Djkk1+V+vy6gok2S/UekWotIujENAlroppSFUkFuIF h+zbfpWdH9XV6tq2lk0V6AGe4oaDPsONzIUv1pWUqfTutbr7YH0TJ6MZq9mrxXVeDA6v 8USw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pW/v9rAZUFz/EoQTWrEX0OSxD6rEJBtSsejlmsLkopw=; b=b7rPIIXWxHrI8xCjHZoie7K/Sk4+daND0/k2+DaweZMcnRb4LZaV4TfbEDuLMcLbcX pVbPmHvSLSnVkP6ziMty+99xOWD7XO1SWQmm+omeLCBbyAf9AxR0Pw4TE4JTlFRpvI0p 59872xOWG0xoL5S3BMhsrKd4j1iGV3f0J5nGS0pxzhepuRTfrV/caGi0xLVn8+771iH+ gWMZKix8bpw7PdYXkD045SU1/tzEdNYFPWNgUxBUkhHkaMdCkNzIoxW0/NHDDA70xbIv 2qGwh1shWcxeSo0/0QlY9/2d5yYVwbHMxKJYwAn3DiDDCjKM0tFWSrA+n53XmUGFiwqV BLug== X-Gm-Message-State: APjAAAXnKc4NhrPYWBKuYx+H0dYMDdrWE33UUHQACGtR0GR9DGz2Bv0L A8BBjL4v5kU29pdl2i5lcxX30JsNWcEKDAP7Z1tn3g== X-Received: by 2002:a19:f617:: with SMTP id x23mr15911101lfe.97.1570440844243; Mon, 07 Oct 2019 02:34:04 -0700 (PDT) MIME-Version: 1.0 References: <20191006172016.873463083@linuxfoundation.org> <20191006172018.480360174@linuxfoundation.org> In-Reply-To: <20191006172018.480360174@linuxfoundation.org> From: Martijn Coenen Date: Mon, 7 Oct 2019 11:33:53 +0200 Message-ID: Subject: Re: [PATCH 4.9 30/47] ANDROID: binder: remove waitqueue when thread exits. To: Greg Kroah-Hartman Cc: LKML , stable@vger.kernel.org, syzbot , Mattias Nissler Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 6, 2019 at 7:23 PM Greg Kroah-Hartman wrote: > > From: Martijn Coenen > > commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f upstream. > > binder_poll() passes the thread->wait waitqueue that > can be slept on for work. When a thread that uses > epoll explicitly exits using BINDER_THREAD_EXIT, > the waitqueue is freed, but it is never removed > from the corresponding epoll data structure. When > the process subsequently exits, the epoll cleanup > code tries to access the waitlist, which results in > a use-after-free. > > Prevent this by using POLLFREE when the thread exits. > > Signed-off-by: Martijn Coenen > Reported-by: syzbot > Cc: stable # 4.14 > [backport BINDER_LOOPER_STATE_POLL logic as well] > Signed-off-by: Mattias Nissler > Signed-off-by: Greg Kroah-Hartman > --- > drivers/android/binder.c | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -334,7 +334,8 @@ enum { > BINDER_LOOPER_STATE_EXITED = 0x04, > BINDER_LOOPER_STATE_INVALID = 0x08, > BINDER_LOOPER_STATE_WAITING = 0x10, > - BINDER_LOOPER_STATE_NEED_RETURN = 0x20 > + BINDER_LOOPER_STATE_NEED_RETURN = 0x20, > + BINDER_LOOPER_STATE_POLL = 0x40, > }; > > struct binder_thread { > @@ -2628,6 +2629,18 @@ static int binder_free_thread(struct bin > } else > BUG(); > } > + > + /* > + * If this thread used poll, make sure we remove the waitqueue > + * from any epoll data structures holding it with POLLFREE. > + * waitqueue_active() is safe to use here because we're holding > + * the inner lock. This should be "global lock" in 4.9 and 4.4 :) Otherwise LGTM, thanks! Martijn > + */ > + if ((thread->looper & BINDER_LOOPER_STATE_POLL) && > + waitqueue_active(&thread->wait)) { > + wake_up_poll(&thread->wait, POLLHUP | POLLFREE); > + } > + > if (send_reply) > binder_send_failed_reply(send_reply, BR_DEAD_REPLY); > binder_release_work(&thread->todo); > @@ -2651,6 +2664,8 @@ static unsigned int binder_poll(struct f > return POLLERR; > } > > + thread->looper |= BINDER_LOOPER_STATE_POLL; > + > wait_for_proc_work = thread->transaction_stack == NULL && > list_empty(&thread->todo) && thread->return_error == BR_OK; > > >