Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp815649ybl; Wed, 11 Dec 2019 07:57:26 -0800 (PST) X-Google-Smtp-Source: APXvYqwXSDD6m3wkLGutkkZpvzuo5aBdcT1ICDzdMfdG5z9cYvgEAP0pHQqsLHms47tfhTWuwn8v X-Received: by 2002:a05:6808:1c5:: with SMTP id x5mr3448799oic.57.1576079846384; Wed, 11 Dec 2019 07:57:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576079846; cv=none; d=google.com; s=arc-20160816; b=JL0VNvfQo34jX2mGCQKpFkK5xWAVGC/u4Ymg9XkOaXCRl4Sj/13t3Zl6Aey0CwfusX oiVp2ZxIEADlZIKDiheYwpgNSMd2WuuFYE3AmN1RxTPUAl7VLRi84SCRUEKZJOUPyWCp mf6Ql2aMv6TXgy36hyiORUI8DXZeu1f0NdrWv2SpYZ5qBC86+DYk31a6VswKT7XfuE8D aUntQhp5o2iazTTf6YTCxcK2dgMSATCLZlNDc0aUppWToSGcEfYUCFqZT9Wa2lMAwzHb V3XcI7+zuBdPGfIAzrH49JB7FM18FXmKXd8ye5IOyABRknfc5EDGkRRz9h1GXj8xA+q/ uw1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6hfNw3X21Zo5CTCixjymiM783DwNOYyxStp3ddazGUk=; b=O+SPDwe/w0OhR1X5mRJbU0g8XMwqt0LxVNbrJoMDfh+M502KQvpW1IqH5X3+8nnYyl +OKxA3g+om0qLuZFJAo+NFrkmi7B8IV8qCAZGxG7lCp8jKrVGzMYxl0J6/e+qGO5lBZ3 Ioqj9VOuNjWhJHsHC9vPBVnL2903LglISJVrHaY3RJMdclKOPpPLiQiDJj4dKVmYyeeJ OQS08OpLF2vyoOXGzY9kRTTEJEFVJiJ/jgQr2fIMEEagdNCXp4CEHscuvrJNU6m/Sb4G /IAtnS1sgI3TX0g6HNOkr31lIcsRE4ncg6p3EeOqKEcWHOTGfkzXF/cejuupLRvILF+D W5rg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dUCuCDmT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r21si1354792otd.276.2019.12.11.07.57.14; Wed, 11 Dec 2019 07:57:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dUCuCDmT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732175AbfLKP4E (ORCPT + 99 others); Wed, 11 Dec 2019 10:56:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:41954 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731810AbfLKPPf (ORCPT ); Wed, 11 Dec 2019 10:15:35 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0F66320663; Wed, 11 Dec 2019 15:15:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576077334; bh=9zpLNPI5XZRFD6601chy04kpn9vCfjMzRQc3/zkWmVo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dUCuCDmT0fgzRvZ3wnTRBIbP9ytenK+NxA6Gg7pAsGhFsvSdGK6p4YF36fvf7Fuj5 rqZseSo88KQ7n0+9F7CMHFU8vCMidYOK1c4i2+FLR5QknkI7L8ePl+ShawJ66cbeBz A4X2i6Pj1g15aTTikKfxNOgtvXs++q9g/Q/utNCc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Christian Brauner Subject: [PATCH 5.3 105/105] binder: Handle start==NULL in binder_update_page_range() Date: Wed, 11 Dec 2019 16:06:34 +0100 Message-Id: <20191211150306.382349788@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150221.153659747@linuxfoundation.org> References: <20191211150221.153659747@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream. The old loop wouldn't stop when reaching `start` if `start==NULL`, instead continuing backwards to index -1 and crashing. Luckily you need to be highly privileged to map things at NULL, so it's not a big problem. Fix it by adjusting the loop so that the loop variable is always in bounds. This patch is deliberately minimal to simplify backporting, but IMO this function could use a refactor. The jump labels in the second loop body are horrible (the error gotos should be jumping to free_range instead), and both loops would look nicer if they just iterated upwards through indices. And the up_read()+mmput() shouldn't be duplicated like that. Cc: stable@vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Signed-off-by: Jann Horn Acked-by: Christian Brauner Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder_alloc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -277,8 +277,7 @@ static int binder_update_page_range(stru return 0; free_range: - for (page_addr = end - PAGE_SIZE; page_addr >= start; - page_addr -= PAGE_SIZE) { + for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) { bool ret; size_t index; @@ -291,6 +290,8 @@ free_range: WARN_ON(!ret); trace_binder_free_lru_end(alloc, index); + if (page_addr == start) + break; continue; err_vm_insert_page_failed: @@ -298,7 +299,8 @@ err_vm_insert_page_failed: page->page_ptr = NULL; err_alloc_page_failed: err_page_ptr_cleared: - ; + if (page_addr == start) + break; } err_no_vma: if (mm) {