Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
From:   Liam Howlett <liam.howlett@oracle.com>
To:     Carlos Llamas <cmllamas@google.com>
CC:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        =?iso-8859-1?Q?Arve_Hj=F8nnev=E5g?= <arve@android.com>,
        Todd Kjos <tkjos@android.com>,
        Martijn Coenen <maco@android.com>,
        Joel Fernandes <joel@joelfernandes.org>,
        Christian Brauner <brauner@kernel.org>,
        Suren Baghdasaryan <surenb@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        "kernel-team@android.com" <kernel-team@android.com>,
        "syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com" 
        <syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com>,
        "syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com" 
        <syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference
Thread-Topic: [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference
Thread-Index: AQHYu+O+8j78ewjyGUWdeBrLUwjJOK3Hz2wAgAAJnICAAA2+AA==
Date:   Tue, 30 Aug 2022 20:30:07 +0000
Message-ID: <20220830203000.qgv3dkbgep2d6saw@revolver>
References: <20220829201254.1814484-1-cmllamas@google.com>
 <20220829201254.1814484-2-cmllamas@google.com>
 <20220830190515.dlrp2a3ypfyhzid5@revolver> <Yw5nwaNI5ewExYtC@google.com>
In-Reply-To: <Yw5nwaNI5ewExYtC@google.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?Pd2hKYx0ppbV7Jyc7U9IWjOVEigD72KlqdPgLvshV1hT7YxQWHmzntk0JM?=
 =?iso-8859-1?Q?IB25sbaAlfi4TKkMa5zgG8vUo8tPysBXyXz2E12bLhDCypzAeguqfvKmL0?=
 =?iso-8859-1?Q?Z9g4fsZyg9TFgvJN8WyZkxW5fSPeSPOy5DHEcFaXUO4sf0Afrp5ndocwo/?=
 =?iso-8859-1?Q?yk99g/DKAmemqTHvWrrIjoSRTm+i53r2lBsBnFbQzaMaaZe7KxiPikPrBs?=
 =?iso-8859-1?Q?kYr9v0jFmMdNu2R3Om9w3RzvJjSwdBMQn8VMNCWlxc+4bBjnxGMfUaWMZn?=
 =?iso-8859-1?Q?gQeThYoF+7Ije0295zsIeNjB7YF5HaFcoXW6o70vR5uwMPaEgRjz6i2vmT?=
 =?iso-8859-1?Q?e0b/ZCw4F9lU3wGkIKX5wB7lSiqxzwsXnG22+sIDti0wbQIUyFMTexzB2O?=
 =?iso-8859-1?Q?ekbyN4meZ2UMQfWpofurGElPh6JU4Ga+Xlj3AP3mTv+pjk9FeNZy5SRyGV?=
 =?iso-8859-1?Q?pD9ExrnfJUBjTfopRF2NaVNzaPsSAz6GjICD1Aa4jt/kpjSKjNpiTpgZNI?=
 =?iso-8859-1?Q?37NbTnSbcdMn1QG27lvMLULQOZfgq2S2zoYujVBSp2iLo0tVGWoLdqQTbM?=
 =?iso-8859-1?Q?QjPQos8b7H16JF7GoL5yAVeFdjf/SfuJBnzgf0PehyMz6IxAUFG7v7INWD?=
 =?iso-8859-1?Q?WxMKTH4fwrq/1f3V5PnJeiD3R8zk4hJpVTbZfVxoMSO+mysJ1P//lbQYo7?=
 =?iso-8859-1?Q?D+KLXT22uTcej+6raRbxmBqbwRaoEU9X/0WEwhbmwcrRMDZAoD3F+RIBa2?=
 =?iso-8859-1?Q?7ohsdVzfv1UUkUwOGiS9peaUag6t88fa+ArZR49Hy0axXK3qPjpYW3BRHE?=
 =?iso-8859-1?Q?/TTr4yrM0c8YyPThecOCTd3xZDyci6SPxZNEZjg/4jpWUhkmDE+ZYs6nZh?=
 =?iso-8859-1?Q?u0QdlYGCf3QrU12m9IHDOmvMW6l8s/E5HXxDMTVzlPBJ/I49z1trl7H0FD?=
 =?iso-8859-1?Q?nYr0BOI5B/j4VKzM8sLPEjgHAfQp1xDVNFfkvRUwDdt9UV/UJZZuX2k4PR?=
 =?iso-8859-1?Q?Y9C4cPC0gnj3DFWlG+eqYs98QwOAilC/0vp1eL9aPii3ANDhmtL6aOYhkO?=
 =?iso-8859-1?Q?sQIjFAaJz99tlbL4ZBeFMLXVmVEphPeKmGlD4uhAh2/Az3TqnolFG7y4Ck?=
 =?iso-8859-1?Q?8OPTQuQ9/jcDF4ZTfyefYzDBqSgz2wYqe3JL8rvhGCg1kRgGr0h5qfCMEH?=
 =?iso-8859-1?Q?vIFEY41TUbMazqCfJHDL3knPuliJWYyzWZptLD2Hnu2Qr3XfCkqiri2714?=
 =?iso-8859-1?Q?RKBJ2srKMrEo4rTx8BqVF2bNRcB5C55E0h25Ne0a1bxf2Ynu94wcbNLNFt?=
 =?iso-8859-1?Q?V62pnJgmzQVuQJs0+ZfPFmh3BwRVs9d6qIL/zG9Ne1ocP/DTl37Kxm6gY1?=
 =?iso-8859-1?Q?a+lM/8JuUxz7SvCvLTV/5isZ67mrUdPKqESmWvrdGZ1eJ4owAB0zRlX4uG?=
 =?iso-8859-1?Q?ocVwYqOgAsqhnmUX2TwD01VXsAVV+kztI9r6DP7Uf2LDXE7c6MtCc4H3pV?=
 =?iso-8859-1?Q?Eap/05sL0h9a2iAdAt6N5MyBSGl9sGWE81+IihQ/AhgFnTa7xWqHJZNPvQ?=
 =?iso-8859-1?Q?ImeL314NZrJwUIEGhWtAbb0L3SYBL7nvseN9fubd6Chpa4IEEB4QOPUsPK?=
 =?iso-8859-1?Q?YrB8rClwcy8AOCB92iUO3qJ4BhmZTX/NqM5jQmAza/a5uPdIbnIWLNFw?=
 =?iso-8859-1?Q?=3D=3D?=
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <C16BBB581CA9C64BB400E4E701653FEA@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR10MB3022.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 76c7327a-086c-4dfc-bbe2-08da8ac66da6
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2022 20:30:07.3835
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1CF2am3g/WBat5T3JSHl5IuhbWnyRBJc6WCX611xF7YMRExBeYtxhEreiBk2NhuQKErm4nZMFcRfC+KiU2jgCQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR10MB5281
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1
 definitions=2022-08-30_11,2022-08-30_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0 mlxscore=0
 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000
 definitions=main-2208300091
X-Proofpoint-GUID: 4WQR8FMWj6sgAbvo58Q0T49ibDG7hh73
X-Proofpoint-ORIG-GUID: 4WQR8FMWj6sgAbvo58Q0T49ibDG7hh73
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

* Carlos Llamas <cmllamas@google.com> [220830 15:41]:
> On Tue, Aug 30, 2022 at 07:06:37PM +0000, Liam Howlett wrote:
> > > diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_=
alloc.c
> > > index 51f4e1c5cd01..9b1778c00610 100644
> > > --- a/drivers/android/binder_alloc.c
> > > +++ b/drivers/android/binder_alloc.c
> > > @@ -322,7 +322,6 @@ static inline void binder_alloc_set_vma(struct bi=
nder_alloc *alloc,
> > >  	 */
> > >  	if (vma) {
> > >  		vm_start =3D vma->vm_start;
> > > -		alloc->vma_vm_mm =3D vma->vm_mm;
> >=20
> > Is this really the null pointer dereference?  We check for vma above..?
> >=20
>=20
> Not here. The sequence leading to the null-ptr-deref happens when we try
> to take alloc->vma_vm_mm->mmap_lock in binder_alloc_new_buf_locked() and
> in binder_alloc_print_pages() without initializing alloc->vma_vm_mm
> first (e.g. mmap() was never called). These sequences are described in
> the commit message but basically they translate to mmap_read_lock(NULL)
> calls.

Ah, this is unnecessary with the rest of the change.

Feel free to add my reviewed-by if you want.


Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>