Received: by 10.223.164.202 with SMTP id h10csp2488895wrb;
        Thu, 16 Nov 2017 16:36:44 -0800 (PST)
X-Google-Smtp-Source: AGs4zMZQVKqU5X0nBKfHVSb3U+Jf7kpRqSzLFXW8t2L5efxJ+Euu71zn4fR/CxcBGxgdfFaBTHCN
X-Received: by 10.98.68.146 with SMTP id m18mr143676pfi.10.1510879004303;
        Thu, 16 Nov 2017 16:36:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510879004; cv=none;
        d=google.com; s=arc-20160816;
        b=rF5AKcSFlYXqkfIfvmmHfnJn00ifUuFo/7REIoWI8OxIgR8dMVQQe4qpHlwO/Xp0Un
         uNXK7H6FhvKODgL95SF2QvbGMhh5D8BN9PI4ppzIXKCx7kpErFUkhLnPLHdYdE1fBwn/
         bDf5v8IqSM7aXINX1d6426JS/ihjA9QYi038EeViC9ImD/da042cIfiYduD+4HstY+ds
         iWfBR2r7dVpipmm9rC3r5K00F1kuBmdUbacC7Pqe4KusIjv2DW3ob62xhkqICUIOHlFb
         cXVVN6fWxMm5Ot3sQd+8tPmlSFzyWfyKnoIAmPXHdO4RgqoYoNtO9rVzONBxy55izIMA
         ydtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=jr58xsveZLARumilPwkuTMQS+Y23jn8lCdbatHnHh7Q=;
        b=RSi6/JyIsFYs4YXrec93OiJTLeRBUOV92OlRdN7/JetNlYBRm3Y/Mw06+BIrtzFUrF
         anHdmouFOYAzy2fbPcv2HdR0AGvzhJqX6cNxevljHyHZy+zowSRa7/9t58wT6By44bw/
         tQb70FNreDEohOVzMPhuMKJhTw6HhTdkynYNX+VlEOiDcBZMMeqQCb4HzkRKVgpydCPb
         ZmNGRTDPuHxqlkbE65emcBaaECd6tgE2vL3eexuVJP35xXXLDfjwUb3/RicXO7E7du9C
         XZMK4Ei/WFIUohxfDuzHgTTuRGnKSfRWIvhfgaasUCtwwmBG8uH6QBtj1J0yb2/yaS2F
         ATNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=ZPbBB66l;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v74si1928206pfd.77.2017.11.16.16.36.30;
        Thu, 16 Nov 2017 16:36:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=ZPbBB66l;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1759647AbdKPUhL (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 92 others); Thu, 16 Nov 2017 15:37:11 -0500
Received: from mail-qt0-f193.google.com ([209.85.216.193]:34822 "EHLO
        mail-qt0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1758899AbdKPUhD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Nov 2017 15:37:03 -0500
Received: by mail-qt0-f193.google.com with SMTP id n32so865374qtb.2
        for <linux-kernel@vger.kernel.org>; Thu, 16 Nov 2017 12:37:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=jr58xsveZLARumilPwkuTMQS+Y23jn8lCdbatHnHh7Q=;
        b=ZPbBB66lbKgnk1usLUEGKTuMW++sNHpxRpny/XA9UuGJX1av9l5RolAh4XhlXwZLFH
         NF0EEtKJ6YQycRhbKfT1KmNhcPRAESBIjeKoTFTcf7kiim+lJuAl6HqqjnHTX6ycD2j+
         MrYA5KEnx3g3Ry/qiRphpaq5wqG453G2UV3SVF8kk1uM2vdQjG+uoES+UahM1W3Ps1hj
         VBSrxxIKPW9c5MbpG0+aLSoL9hshqipBh1kdipo2ZGU1HmtJTs5gs7RweB+fLBhk/R1z
         lABltmJRZI/sDjFSVdsoq/gJZPFJFqwjbZpfFhwouSvvur12bYQPm8rdiUvjnYcqCiGj
         YoQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=jr58xsveZLARumilPwkuTMQS+Y23jn8lCdbatHnHh7Q=;
        b=D1E8UG8AVoSXVLfySEXnfoIMfyQ/QCFHMjIAv6xNtqUYKnqn2LgUq9wWw8qYFFsroS
         vbcyxFQgwzC2QU25dpt1gvSpPStrPlv1ONZUxqZyleVKy+cD19gQZQnG1WM7s4PvwB0G
         /oHlKh6GqLePybrZ/QDQFI1CU0N7VYodK80qa5WwVf1Hlnd2XXau6r5mBN1JdW/e79+i
         7YsShJuc+Fxmb5xT+hzYhOTT5ym+0d4Yxjy9n2iAqFOEqzed0zOkq8Y9ahsQKNBNMOUg
         60gVNlFyYoRTLE858QfJoxXRJFTrhMLXXyDWAYYAZi2Fsr0SHircbLI3ESKwp0YjPYGS
         ZxlQ==
X-Gm-Message-State: AJaThX6WiVvfY+TB3vco2Xt8cEp6ihUfxM4mcMwm37tBgVqyPSI5ifjC
        3jGMlWA4G8O6yhS/LJb5/Zn3BKzWSIcxWCKcvjBVfQ==
X-Received: by 10.237.42.15 with SMTP id c15mr4561602qtd.19.1510864622779;
 Thu, 16 Nov 2017 12:37:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.108.166 with HTTP; Thu, 16 Nov 2017 12:37:02 -0800 (PST)
In-Reply-To: <20171116202706.GA10790@kroah.com>
References: <20171116175650.40362-1-tkjos@google.com> <20171116202706.GA10790@kroah.com>
From:   Todd Kjos <tkjos@android.com>
Date:   Thu, 16 Nov 2017 12:37:02 -0800
Message-ID: <CAD0t5oPgochdO-LhrN+sRzx+Z=Mkvt=PdWqHNzxDRXKzNvtf5A@mail.gmail.com>
Subject: Re: [PATCH v2] binder: fix proc->files use-after-free
To:     Greg KH <gregkh@linuxfoundation.org>
Cc:     Todd Kjos <tkjos@google.com>,
        "Arve Hj??nnev??g" <arve@android.com>, devel@driverdev.osuosl.org,
        LKML <linux-kernel@vger.kernel.org>,
        Martijn Coenen <maco@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Sorry about that, do you want a v3 with correct annotations?

On Thu, Nov 16, 2017 at 12:27 PM, Greg KH <gregkh@linuxfoundation.org> wrote:
> On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote:
>> proc->files cleanup is initiated by binder_vma_close. Therefore
>> a reference on the binder_proc is not enough to prevent the
>> files_struct from being released while the binder_proc still has
>> a reference. This can lead to an attempt to dereference the
>> stale pointer obtained from proc->files prior to proc->files
>> cleanup. This has been seen once in task_get_unused_fd_flags()
>> when __alloc_fd() is called with a stale "files".
>>
>> The fix is to always use get_files_struct() to obtain struct_files
>> so that the refcount on the files_struct is used to prevent
>> a premature free. proc->files is removed since we get it every
>> time.
>>
>> Signed-off-by: Todd Kjos <tkjos@google.com>
>> ---
>>  drivers/android/binder.c | 63 +++++++++++++++++++++++-------------------------
>>  1 file changed, 30 insertions(+), 33 deletions(-)
>
> For a v2 patch (or v3 or whatever), you need to put below the --- line
> what changed from the previous version(s).
> Documentation/SubmittingPatches describes this pretty well :)
>
> thanks,
>
> greg k-h

From 1584246731040362261@xxx Thu Nov 16 18:03:38 +0000 2017
X-GM-THRID: 1584246731040362261
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread