[PATCH 6.14 19/24] binder: fix yet another UAF in binder_devices

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev,
	syzbot+4af454407ec393de51d6@syzkaller.appspotmail.com,
	Carlos Llamas <cmllamas@google.com>
Subject: [PATCH 6.14 19/24] binder: fix yet another UAF in binder_devices
Date: Sat,  7 Jun 2025 12:07:59 +0200	[thread overview]
Message-ID: <20250607100718.447036599@linuxfoundation.org> (raw)
In-Reply-To: <20250607100717.706871523@linuxfoundation.org>

6.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Carlos Llamas <cmllamas@google.com>

commit 9857af0fcff385c75433f2162c30c62eb912ef6d upstream.

Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices")
addressed a use-after-free where devices could be released without first
being removed from the binder_devices list. However, there is a similar
path in binder_free_proc() that was missed:

  ==================================================================
  BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100
  Write of size 8 at addr ffff0000c773b900 by task umount/467
  CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   binder_remove_device+0xd4/0x100
   binderfs_evict_inode+0x230/0x2f0
   evict+0x25c/0x5dc
   iput+0x304/0x480
   dentry_unlink_inode+0x208/0x46c
   __dentry_kill+0x154/0x530
   [...]

  Allocated by task 463:
   __kmalloc_cache_noprof+0x13c/0x324
   binderfs_binder_device_create.isra.0+0x138/0xa60
   binder_ctl_ioctl+0x1ac/0x230
  [...]

  Freed by task 215:
   kfree+0x184/0x31c
   binder_proc_dec_tmpref+0x33c/0x4ac
   binder_deferred_func+0xc10/0x1108
   process_one_work+0x520/0xba4
  [...]
  ==================================================================

Call binder_remove_device() within binder_free_proc() to ensure the
device is removed from the binder_devices list before being kfreed.

Cc: stable@vger.kernel.org
Fixes: 12d909cac1e1 ("binderfs: add new binder devices to binder_devices")
Reported-by: syzbot+4af454407ec393de51d6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4af454407ec393de51d6
Tested-by: syzbot+4af454407ec393de51d6@syzkaller.appspotmail.com
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20250524220758.915028-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/android/binder.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5246,6 +5246,7 @@ static void binder_free_proc(struct bind
 			__func__, proc->outstanding_txns);
 	device = container_of(proc->context, struct binder_device, context);
 	if (refcount_dec_and_test(&device->ref)) {
+		binder_remove_device(device);
 		kfree(proc->context->name);
 		kfree(device);
 	}

next prev parent reply	other threads:[~2025-06-07 10:10 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-07 10:07 [PATCH 6.14 00/24] 6.14.11-rc1 review Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 01/24] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 02/24] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 03/24] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 04/24] clk: samsung: correct clock summary for hsi1 block Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 05/24] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 06/24] Documentation: ACPI: Use all-string data node references Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 07/24] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 08/24] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 09/24] orangefs: adjust counting code to recover from 665575cf Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 10/24] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 11/24] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 12/24] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 13/24] usb: typec: ucsi: fix Clang -Wsign-conversion warning Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 14/24] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 15/24] serial: jsm: fix NPE during jsm_uart_port_init Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 16/24] nvmem: rmem: select CONFIG_CRC32 Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 17/24] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
2025-06-07 10:07 ` [PATCH 6.14 18/24] binder: fix use-after-free in binderfs_evict_inode() Greg Kroah-Hartman
2025-06-07 10:07 ` Greg Kroah-Hartman [this message]
2025-06-07 10:08 ` [PATCH 6.14 20/24] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
2025-06-07 10:08 ` [PATCH 6.14 21/24] dt-bindings: pwm: adi,axi-pwmgen: Fix clocks Greg Kroah-Hartman
2025-06-07 10:08 ` [PATCH 6.14 22/24] dt-bindings: usb: cypress,hx3: Add support for all variants Greg Kroah-Hartman
2025-06-07 10:08 ` [PATCH 6.14 23/24] dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property Greg Kroah-Hartman
2025-06-07 10:08 ` [PATCH 6.14 24/24] Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Greg Kroah-Hartman
2025-06-07 16:22 ` [PATCH 6.14 00/24] 6.14.11-rc1 review Florian Fainelli
2025-06-08  5:44 ` Ron Economos
2025-06-08  6:44 ` Naresh Kamboju
2025-06-08 17:00 ` Peter Schneider
2025-06-08 17:54 ` Pavel Machek
2025-06-08 22:22 ` Mark Brown
2025-06-09 12:50 ` Jon Hunter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250607100718.447036599@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=cmllamas@google.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+4af454407ec393de51d6@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.