From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com,
Martijn Coenen <maco@android.com>
Subject: [PATCH 4.15 30/45] ANDROID: binder: synchronize_rcu() when using POLLFREE.
Date: Fri, 23 Feb 2018 19:29:09 +0100 [thread overview]
Message-ID: <20180223170720.098617539@linuxfoundation.org> (raw)
In-Reply-To: <20180223170715.197760019@linuxfoundation.org>
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
commit 5eeb2ca02a2f6084fc57ae5c244a38baab07033a upstream.
To prevent races with ep_remove_waitqueue() removing the
waitqueue at the same time.
Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4322,6 +4322,15 @@ static int binder_thread_release(struct
binder_inner_proc_unlock(thread->proc);
+ /*
+ * This is needed to avoid races between wake_up_poll() above and
+ * and ep_remove_waitqueue() called for other reasons (eg the epoll file
+ * descriptor being closed); ep_remove_waitqueue() holds an RCU read
+ * lock, so we can be sure it's done after calling synchronize_rcu().
+ */
+ if (thread->looper & BINDER_LOOPER_STATE_POLL)
+ synchronize_rcu();
+
if (send_reply)
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
binder_release_work(proc, &thread->todo);
next prev parent reply other threads:[~2018-02-23 18:29 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 18:28 [PATCH 4.15 00/45] 4.15.6-stable review Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 01/45] tun: fix tun_napi_alloc_frags() frag allocator Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 02/45] ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 03/45] ptr_ring: try vmalloc() when kmalloc() fails Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 04/45] selinux: ensure the context is NUL terminated in security_context_to_sid_core() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 05/45] selinux: skip bounded transition processing if the policy isnt loaded Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 06/45] media: pvrusb2: properly check endpoint types Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 07/45] crypto: x86/twofish-3way - Fix %rbp usage Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 08/45] staging: android: ion: Add __GFP_NOWARN for system contig heap Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 09/45] staging: android: ion: Switch from WARN to pr_warn Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 10/45] blk_rq_map_user_iov: fix error override Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 11/45] KVM: x86: fix escape of guest dr6 to the host Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 12/45] kcov: detect double association with a single task Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 13/45] netfilter: x_tables: fix int overflow in xt_alloc_table_info() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 14/45] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 15/45] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 16/45] netfilter: on sockopt() acquire sock lock only in the required scope Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 17/45] netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 18/45] netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 19/45] rds: tcp: correctly sequence cleanup on netns deletion Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 20/45] rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 21/45] net: avoid skb_warn_bad_offload on IS_ERR Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 22/45] net_sched: gen_estimator: fix lockdep splat Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 23/45] soc: qcom: rmtfs_mem: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 24/45] ASoC: ux500: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 25/45] video: fbdev/mmp: add MODULE_LICENSE Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 26/45] ARM: 8743/1: bL_switcher: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 27/45] arm64: dts: add #cooling-cells to CPU nodes Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 28/45] dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 29/45] ANDROID: binder: remove WARN() for redundant txn error Greg Kroah-Hartman
2018-02-23 18:29 ` Greg Kroah-Hartman [this message]
2018-02-23 18:29 ` [PATCH 4.15 31/45] staging: android: ashmem: Fix a race condition in pin ioctls Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 32/45] binder: check for binder_thread allocation failure in binder_poll() Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 33/45] binder: replace "%p" with "%pK" Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 34/45] staging: fsl-mc: fix build testing on x86 Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 35/45] staging: iio: adc: ad7192: fix external frequency setting Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 36/45] staging: iio: ad5933: switch buffer mode to software Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 37/45] xhci: Fix NULL pointer in xhci debugfs Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 38/45] xhci: Fix xhci debugfs devices node disappearance after hibernation Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 39/45] xhci: xhci debugfs device nodes werent removed after device plugged out Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 40/45] xhci: fix xhci debugfs errors in xhci_stop Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 41/45] usbip: keep usbip_device sockfd state in sync with tcp_socket Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 42/45] crypto: s5p-sss - Fix kernel Oops in AES-ECB mode Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 43/45] mei: me: add cannon point device ids Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 44/45] mei: me: add cannon point device ids for 4th device Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 45/45] vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems Greg Kroah-Hartman
2018-02-23 23:57 ` [PATCH 4.15 00/45] 4.15.6-stable review kernelci.org bot
2018-02-24 0:38 ` Shuah Khan
2018-02-24 8:26 ` Greg Kroah-Hartman
2018-02-24 17:58 ` Guenter Roeck
2018-02-25 9:59 ` Greg Kroah-Hartman
2018-02-25 3:37 ` Dan Rue
2018-02-25 9:58 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180223170720.098617539@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.