Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4149548pxb;
        Mon, 27 Sep 2021 10:23:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxfvq8BDsRcgeGg0rtg2Uq+297rS/l+aLsKNOHUrNWpeRJW2NWDtezcG1pwgVuqT7wbH0Z0
X-Received: by 2002:a17:90a:bc07:: with SMTP id w7mr212513pjr.207.1632763431877;
        Mon, 27 Sep 2021 10:23:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1632763431; cv=none;
        d=google.com; s=arc-20160816;
        b=T2QPnePJAFs8KOJZXHol88Je8w14kcRAfUmKOWeoqL+KbHe9IKBmaia0BAZrl8QFeD
         uDF6XbZtcxi472Wgfhk/9F5IGLJtqmdUjRvpUOHlhRkEf8fZqSRozcp9aljUHoRYPHp3
         ApXIoWL1bfBAjaC7yxLTJ4NBtOU998ZSKapFbl0+zRz3XK9/HvCTsIwIOJooHy1d9WEc
         N6oVQQaFIwgtkmPciMOp+z/u3IcWJsUjo7xbvuiC1/+aF7GEqaHBEO7nT/XeR4X1m8s7
         FLhlh6CWFJ/lXp+rB3LgW3zjgqoE0CeJUX8HirkAgPvzrbNgnfiwnCGVSV1q8NAUK0st
         Un7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=zeG+3BkvB88jonIIslU5HFo06AlwmACBLZVH2p8Rp/s=;
        b=UkBPZ8DMCtqYIzDeKDBWF8CBMJGbf3IWt6oxfs+y0EeQti8WpnZP2kElHbLFaiTvaV
         whB1xted1rnCoIej0yeluV1q6tSiCug4nXcd2MwrpyPNAJIOR3/Ag4VVXw4HYp3twX5C
         zkRaiVPMExoSJ4DVigw8LsTnazB2tnsb/i2ysjsU/WQ3EO9UWjHE/8zCEADV38zMBXa2
         ghqlfRjLavGu0wndRUbzAYKa3r9bwU4RHEQTMH2lPloFIlf+mDkgFYMT4drlU54SO5Ox
         1txJbr044w7lmhKRCUaQu03/jSTdxTGeDNNF3vhdo0yY+kQcAuVmY5A41jMcqFVZuhZa
         EOPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=u2ntxiu9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ij17si21278678plb.129.2021.09.27.10.23.38;
        Mon, 27 Sep 2021 10:23:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=u2ntxiu9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237226AbhI0RYS (ORCPT <rfc822;loic.yhuel@gmail.com> + 99 others);
        Mon, 27 Sep 2021 13:24:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:36108 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S236955AbhI0RVD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Sep 2021 13:21:03 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 01596613A7;
        Mon, 27 Sep 2021 17:13:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1632762814;
        bh=Y3beWDQEl00qSR+LS7kVLnbQyA4rWq4B7CKc8qtDnK4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=u2ntxiu9qfabCfvrIVr/NGFO9qpNKZd1frVwbhcD89JRiXD/aab4zDvfFZsdA0enj
         skIFnjPl/eZOIh1Na5k3RF2IKljfEw5MkaS/XjyqGkjnN7ckmSk2ngTfZOflteZFOq
         lzJyDkSDo8miChf14twW5oGewNbsYmEKOMvEwm6U=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Martijn Coenen <maco@android.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Todd Kjos <tkjos@google.com>
Subject: [PATCH 5.14 018/162] binder: make sure fd closes complete
Date:   Mon, 27 Sep 2021 19:01:04 +0200
Message-Id: <20210927170234.082914299@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210927170233.453060397@linuxfoundation.org>
References: <20210927170233.453060397@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Todd Kjos <tkjos@google.com>

commit 5fdb55c1ac9585eb23bb2541d5819224429e103d upstream.

During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
cleanup may close 1 or more fds. The close operations are
completed using the task work mechanism -- which means the thread
needs to return to userspace or the file object may never be
dereferenced -- which can lead to hung processes.

Force the binder thread back to userspace if an fd is closed during
BC_FREE_BUFFER handling.

Fixes: 80cd795630d6 ("binder: fix use-after-free due to ksys_close() during fdget()")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Martijn Coenen <maco@android.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20210830195146.587206-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/android/binder.c |   23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1852,6 +1852,7 @@ static void binder_deferred_fd_close(int
 }
 
 static void binder_transaction_buffer_release(struct binder_proc *proc,
+					      struct binder_thread *thread,
 					      struct binder_buffer *buffer,
 					      binder_size_t failed_at,
 					      bool is_failure)
@@ -2011,8 +2012,16 @@ static void binder_transaction_buffer_re
 						&proc->alloc, &fd, buffer,
 						offset, sizeof(fd));
 				WARN_ON(err);
-				if (!err)
+				if (!err) {
 					binder_deferred_fd_close(fd);
+					/*
+					 * Need to make sure the thread goes
+					 * back to userspace to complete the
+					 * deferred close
+					 */
+					if (thread)
+						thread->looper_need_return = true;
+				}
 			}
 		} break;
 		default:
@@ -3105,7 +3114,7 @@ err_bad_parent:
 err_copy_data_failed:
 	binder_free_txn_fixups(t);
 	trace_binder_transaction_failed_buffer_release(t->buffer);
-	binder_transaction_buffer_release(target_proc, t->buffer,
+	binder_transaction_buffer_release(target_proc, NULL, t->buffer,
 					  buffer_offset, true);
 	if (target_node)
 		binder_dec_node_tmpref(target_node);
@@ -3184,7 +3193,9 @@ err_invalid_target_handle:
  * Cleanup buffer and free it.
  */
 static void
-binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer)
+binder_free_buf(struct binder_proc *proc,
+		struct binder_thread *thread,
+		struct binder_buffer *buffer)
 {
 	binder_inner_proc_lock(proc);
 	if (buffer->transaction) {
@@ -3212,7 +3223,7 @@ binder_free_buf(struct binder_proc *proc
 		binder_node_inner_unlock(buf_node);
 	}
 	trace_binder_transaction_buffer_release(buffer);
-	binder_transaction_buffer_release(proc, buffer, 0, false);
+	binder_transaction_buffer_release(proc, thread, buffer, 0, false);
 	binder_alloc_free_buf(&proc->alloc, buffer);
 }
 
@@ -3414,7 +3425,7 @@ static int binder_thread_write(struct bi
 				     proc->pid, thread->pid, (u64)data_ptr,
 				     buffer->debug_id,
 				     buffer->transaction ? "active" : "finished");
-			binder_free_buf(proc, buffer);
+			binder_free_buf(proc, thread, buffer);
 			break;
 		}
 
@@ -4107,7 +4118,7 @@ retry:
 			buffer->transaction = NULL;
 			binder_cleanup_transaction(t, "fd fixups failed",
 						   BR_FAILED_REPLY);
-			binder_free_buf(proc, buffer);
+			binder_free_buf(proc, thread, buffer);
 			binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
 				     "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
 				     proc->pid, thread->pid,