Received: by 10.223.164.202 with SMTP id h10csp165945wrb; Thu, 16 Nov 2017 21:28:11 -0800 (PST) X-Google-Smtp-Source: AGs4zMYcNNeYlHAgrsHuDpE1FhHO+/RyuBXo0R+AGVOjfkx+fwwFtYceywcegUYmp70ckkZ+lrwz X-Received: by 10.99.109.75 with SMTP id i72mr4041086pgc.43.1510896491632; Thu, 16 Nov 2017 21:28:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510896491; cv=none; d=google.com; s=arc-20160816; b=r/qYQa2c59rncrfbs4qIbubGEcyRloBm1P1MH5EqJKPskaE4hCzB9H3Cs2KWdSjyiR T6xGf5Tm5yNCtjnA79bY7yok5tq8Z/EGWDiNb0vvl0KGCIbctDsoiNpTxjSuLSRBxdr+ ZTjzdV43Na0AZyb0wN3Rspfb/U5pY8t0lnj4Bi6Ucyyr3a3IL8pFpWPRy963/7r1ZGGq qsWsSsnjDNy4KZO701gTIurtbz5S9ZmElTduQaobeA/UZ5bHqO5N/kchKB9kfdF93Nsb rzPz1O1SJxK2uAWw7igU2AD8FvsR3PU0iQnq5R24G7UNEPkF5cyrAXu+QG0b2Ew1ejrY +gTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=CW7NxBbNzGYmh4knV8HmEuSz9Yhb2IXmZHxDCkgcNAU=; b=i+lHK6BTBUueWPXnYN9phQDcirZocynsRJw0kOhU+Y2+nB9eR17JBLEH+nVbEQvuzW ryDlVtUvfGjaBZLlBT704Nr15xLHFJ3B0nR3GzmBJH3V6vEeRaLvlL5NE1IBRBzL5FKq x+gWgtYGZBnFCuBVQjWk0cT34zGmu5oVnrAG7BAu9Hpx7yr0RNPXhgKAe6npRagbSVkQ LVlZlnzXzgZfbViulNsq2q0uRCKeoZpdfO+NII3LWwd5OJ7Qedp75aNFAlvHuoGifL5f kcoq6wf2bqBRU6F81nBM/YOFpt68E8veLaSiu5Gh/pqgeFylzbq7QP2RDDCJl7P6eli0 UWRQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 60si2145898plc.104.2017.11.16.21.27.27; Thu, 16 Nov 2017 21:28:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758965AbdKPU1K (ORCPT + 92 others); Thu, 16 Nov 2017 15:27:10 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:48838 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758174AbdKPU1D (ORCPT ); Thu, 16 Nov 2017 15:27:03 -0500 Received: from localhost (unknown [185.156.173.27]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7D63599F; Thu, 16 Nov 2017 20:27:02 +0000 (UTC) Date: Thu, 16 Nov 2017 21:27:06 +0100 From: Greg KH To: Todd Kjos Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com Subject: Re: [PATCH v2] binder: fix proc->files use-after-free Message-ID: <20171116202706.GA10790@kroah.com> References: <20171116175650.40362-1-tkjos@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171116175650.40362-1-tkjos@google.com> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote: > proc->files cleanup is initiated by binder_vma_close. Therefore > a reference on the binder_proc is not enough to prevent the > files_struct from being released while the binder_proc still has > a reference. This can lead to an attempt to dereference the > stale pointer obtained from proc->files prior to proc->files > cleanup. This has been seen once in task_get_unused_fd_flags() > when __alloc_fd() is called with a stale "files". > > The fix is to always use get_files_struct() to obtain struct_files > so that the refcount on the files_struct is used to prevent > a premature free. proc->files is removed since we get it every > time. > > Signed-off-by: Todd Kjos > --- > drivers/android/binder.c | 63 +++++++++++++++++++++++------------------------- > 1 file changed, 30 insertions(+), 33 deletions(-) For a v2 patch (or v3 or whatever), you need to put below the --- line what changed from the previous version(s). Documentation/SubmittingPatches describes this pretty well :) thanks, greg k-h From 1584271463192671265@xxx Fri Nov 17 00:36:44 +0000 2017 X-GM-THRID: 1584246731040362261 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread