Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp821250pxb;
        Wed, 6 Oct 2021 16:29:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy7r+rGcuOXFsEQ69/8psBXi/t+KMiJj4uAkA5Z7dKC84Q4fWpOUMnEl8BLXspAfNUWBwlR
X-Received: by 2002:a17:90a:be14:: with SMTP id a20mr1660280pjs.41.1633562978510;
        Wed, 06 Oct 2021 16:29:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1633562978; cv=none;
        d=google.com; s=arc-20160816;
        b=lNsWmyOGmo/ZJGx7qyg7U3vMocI3/Fu5/IIu8GwZKN20zxby4yWA75JFUgzfnmG+9Y
         N5uo1LZ3nBVipk/9sncRn3DyUMNWOPg4PFi5LDshTXiKO0uRuBQnl48osotmywImOUPi
         GHeON7qvWcHspJQB9dI8HVixO0tXIZ1N82PoWTYJPeEKq7OpgykeNI198KZjNNGp6P7g
         OmcRDD6Ek4zh/8eTJHxUvMc01ixXyDG8o0E9Qq3DJPJHwcCGqnbmtM2MgxlMAehsv6fS
         K9BvlPYu5UrkFMbAbp8UAfplZDCHdWmvqsu3B4fALDTq9QwtcQ3xuTqY0hKe3yooJasz
         R7Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=mliJ3L4jhXygNAQVvyfh3C51SF5VAYCq+PUY3yCWUww=;
        b=vJl1HmJdR1WcZ7vtIKNh2+6SQGHu6SL51+4CQACZ6O/TWtD9ZGYqLZVBig9Jv84mYL
         4unpIx2iNcQOthdZAKEeAM9iE6jh9nPDhdz0BDryLQMfeqIodda2IJnGifOknIemjv4x
         +Aqr/DFpm4HvoXguu6VV30kcQTPIRhLn4rRsXLquejxo+Dbu//tc1/ididq0E/cTxPOM
         muUTPRKYcm7qQbOFOHaehUEIv7aT2InBMrsmCmuyUw9Vj8dtbYI5d2FYMzqmfjG20o4n
         rQZXpInwGQqPcLH+xJke+WRnXscLPN23NbkTJgvzm1RY+w0yJFHGTkQbOjAhCOLztY/1
         CV9Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=qi5Ix5Ey;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s3si24754644pls.433.2021.10.06.16.29.25;
        Wed, 06 Oct 2021 16:29:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=qi5Ix5Ey;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231660AbhJFXaa (ORCPT <rfc822;lucas.de.marchi@gmail.com>
        + 99 others); Wed, 6 Oct 2021 19:30:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50188 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230300AbhJFXa2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Oct 2021 19:30:28 -0400
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 944D0C061746
        for <linux-kernel@vger.kernel.org>; Wed,  6 Oct 2021 16:28:35 -0700 (PDT)
Received: by mail-vs1-xe2b.google.com with SMTP id i30so4738010vsj.13
        for <linux-kernel@vger.kernel.org>; Wed, 06 Oct 2021 16:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=mliJ3L4jhXygNAQVvyfh3C51SF5VAYCq+PUY3yCWUww=;
        b=qi5Ix5Ey0HFp6L9+Tb4s0zGqPaWH11DuG+iN3lkQA45yIab1Igz9/t/wCd7KCEV28y
         JxYKiC9codL3nn9bXsqMDsfa+SeQx8h3Nvr7trPCbJDT8y8sfyHK6MeY640ofUooBqwE
         ZnWo2XX3gmZo9YozyxTto3ZVKMMM8zoNmKa9L9nfcbIevffVD/B8HV4B0AX+IFaDu0u/
         9RLvfgL6PhTG7pbofxOwM2VphykA2gfzrP0NVMOAyQxiNwxFLKJXZE0FiN/gZ0Y4hWbV
         6ehP2QTUVK1K7Ddq+kPCPs28QD5j5PLJ3qrOBNFwhLJ5V9zhf8eM1uCNO6iEZG/pCOFW
         UUnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=mliJ3L4jhXygNAQVvyfh3C51SF5VAYCq+PUY3yCWUww=;
        b=aFTp2iRBPdYGZBD9Nb1ZD69UfvYdW3WoLO6YP5+UOsCaSKXEOP8B+Ln+A1cpVEww9k
         toy2CL7g6vH4V7Sv3+HF3ud/bhJ0xo2b8tRYSFtO9lzhSmX7YNlBqtBUGxtZtWgdWKe5
         d2N4kCOZiGqBYSzpdzVZ9v/1sGxk0tYxLREWIp8vFnn3ACAAd81yVzUwikO43GXpF6fy
         fGYt5VG66gMHxbBP4yr52vq8Xl+S9YuwjObqMwFViHYR9LgjcCw6Z/4xDPzGHnLcmFO4
         EqhKhwv65YkV2bPp1TR9dtTahaAtqQ5CROY3RFS4oqjACLWFYfPkDyWlVm+Q+UP3soo3
         OQpw==
X-Gm-Message-State: AOAM533Lrb8DvaQ1lQl4VQzkjF1ddy/9MiIbx8VW87QixGH6OXsNvr2x
        i1btBLyy1WLmQFi5Pv0jVZHhsqhaWun9QiDQy60FRg==
X-Received: by 2002:a67:df16:: with SMTP id s22mr1310976vsk.47.1633562914708;
 Wed, 06 Oct 2021 16:28:34 -0700 (PDT)
MIME-Version: 1.0
References: <20211006224311.26662-1-ramjiyani@google.com> <YV4nnko8rmWAWj2+@gmail.com>
In-Reply-To: <YV4nnko8rmWAWj2+@gmail.com>
From:   Ramji Jiyani <ramjiyani@google.com>
Date:   Wed, 6 Oct 2021 16:28:23 -0700
Message-ID: <CAKUd0B-9ifaMBAxhaUZjppks8PCy4oCy=erRNnPBjrRxOGKUxQ@mail.gmail.com>
Subject: Re: [PATCH v3] aio: Add support for the POLLFREE
To:     Eric Biggers <ebiggers@kernel.org>
Cc:     arnd@arndb.de, viro@zeniv.linux.org.uk, bcrl@kvack.org, hch@lst.de,
        kernel-team@android.com, linux-aio@kvack.org,
        linux-arch@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, oleg@redhat.com,
        Jeff Moyer <jmoyer@redhat.com>, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Oct 6, 2021 at 3:48 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Wed, Oct 06, 2021 at 10:43:11PM +0000, Ramji Jiyani wrote:
> > Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.")
> > Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
> > Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
> > Cc: stable@vger.kernel.org # 4.19+
>
> The commit that this claims to be fixing is in linux-4.4.y, so either the fixes
> tag is wrong or the Cc stable tag is wrong.  It's important to provide correct
> information here for backporting purposes, so please do so.
>

Stable tag is correct; Fixes tag in this case is tricky.

In 4.4 only way to poll binder file was via eventpoll and since binder wasn't
flagging the POLLFREE before thread exit there was an UAF. Which got fixed
by the commit currently Fixes tag is referring.

Later, aio got enhanced by adding a polling feature in 4.19 [1].
That introduced one more way to poll binder files; but it did not include
support for POLLFREE, so UAF exists.

Should the Fixes tag refer to Commit bfe4037e722e ("aio: implement
IOCB_CMD_POLL") [2] in this case?

[1] https://lore.kernel.org/lkml/20180110155853.32348-32-hch@lst.de/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/aio.c?h=v4.19.209&id=bfe4037e722ec672c9dafd5730d9132afeeb76e9

> - Eric

~ Ramji