From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751717AbeAEMUT (ORCPT + 1 other); Fri, 5 Jan 2018 07:20:19 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:48668 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750907AbeAEMUR (ORCPT ); Fri, 5 Jan 2018 07:20:17 -0500 Date: Fri, 5 Jan 2018 13:20:21 +0100 From: Greg KH To: Martijn Coenen Cc: john.stultz@linaro.org, tkjos@google.com, arve@android.com, linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org, maco@google.com, ebiggers@google.com Subject: Re: [PATCH] ANDROID: binder: remove waitqueue when thread exits. Message-ID: <20180105122021.GF19551@kroah.com> References: <20180105102707.261740-1-maco@android.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180105102707.261740-1-maco@android.com> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, Jan 05, 2018 at 11:27:07AM +0100, Martijn Coenen wrote: > binder_poll() passes the thread->wait waitqueue that > can be slept on for work. When a thread that uses > epoll explicitly exits using BINDER_THREAD_EXIT, > the waitqueue is freed, but it is never removed > from the corresponding epoll data structure. When > the process subsequently exits, the epoll cleanup > code tries to access the waitlist, which results in > a use-after-free. > > Prevent this by using POLLFREE when the thread exits. > > Signed-off-by: Martijn Coenen > Reported-by: syzbot > --- > drivers/android/binder.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) Should this be a 4.15-final thing, as well as backported to any range of older kernels? thanks, greg k-h