From: Greg KH <gregkh@linuxfoundation.org>
To: Kassey Li <quic_yingangl@quicinc.com>
Cc: gregkh@google.com, cmllamas@google.com, surenb@google.com,
arve@android.com, joel@joelfernandes.org, brauner@kernel.org,
tkjos@android.com, maco@android.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] binder: add mutex_lock for mmap and NULL when free
Date: Sat, 7 Oct 2023 13:18:52 +0200 [thread overview]
Message-ID: <2023100725-oversized-shore-c873@gregkh> (raw)
In-Reply-To: <26988068-8c9f-8591-db6e-44c8105af638@quicinc.com>
On Sat, Oct 07, 2023 at 07:07:40PM +0800, Kassey Li wrote:
>
>
> On 2023/10/7 14:44, Greg KH wrote:
> > On Sat, Oct 07, 2023 at 11:40:46AM +0800, Kassey Li wrote:
> > > Enforce alloc->mutex in binder_alloc_mmap_handler when add
> > > the entry to list.
> > >
> > > Assign the freed pages/page_ptr to NULL to catch possible
> > > use after free with NULL pointer access.
> > >
> > > Signed-off-by: Kassey Li <quic_yingangl@quicinc.com>
> > > ---
> > > drivers/android/binder_alloc.c | 5 ++++-
> > > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > What commit id does this fix?
>
> there is no specific commit id this change going to fix.
>
> it is a follow up for commit
> 19c987241ca1216a51118b2bd0185b8bc5081783 binder: separate out binder_alloc
> functions (mutex lock added for list access in alloc/free)
> f2517eb76f1f2f7f89761f9db2b202e89931738c android: binder: Add global lru
> shrinker to binder (set page->page_ptr = NULL;)
>
> the background to raise this change that we are easy hit below crash in
> monkey test:
>
> where a wrong end is passing to
> binder_update_page_range, thus calculate a weird index
> for
> page = &alloc->pages[index]
Obviously it is a fix for some commit, please list that here.
thanks,
greg k-h
next prev parent reply other threads:[~2023-10-07 11:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-07 3:40 [PATCH] binder: add mutex_lock for mmap and NULL when free Kassey Li
2023-10-07 6:44 ` Greg KH
2023-10-07 11:07 ` Kassey Li
2023-10-07 11:18 ` Greg KH [this message]
2023-10-07 11:34 ` Kassey Li
2023-10-07 11:37 ` Greg KH
2023-10-07 11:43 ` Kassey Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023100725-oversized-shore-c873@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=gregkh@google.com \
--cc=joel@joelfernandes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=quic_yingangl@quicinc.com \
--cc=surenb@google.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.