From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Carlos Llamas <cmllamas@google.com>,
Alice Ryhl <aliceryhl@google.com>,
Tiffany Yang <ynaffit@google.com>
Subject: [PATCH 6.17 13/26] binder: fix double-free in dbitmap
Date: Fri, 10 Oct 2025 15:16:08 +0200 [thread overview]
Message-ID: <20251010131331.693737314@linuxfoundation.org> (raw)
In-Reply-To: <20251010131331.204964167@linuxfoundation.org>
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit 3ebcd3460cad351f198c39c6edb4af519a0ed934 upstream.
A process might fail to allocate a new bitmap when trying to expand its
proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap
via dbitmap_free(). However, the driver calls dbitmap_free() again when
the same process terminates, leading to a double-free error:
==================================================================
BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c
Free of addr ffff00000b7c1420 by task kworker/9:1/209
CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
kfree+0x164/0x31c
binder_proc_dec_tmpref+0x2e0/0x55c
binder_deferred_func+0xc24/0x1120
process_one_work+0x520/0xba4
[...]
Allocated by task 448:
__kmalloc_noprof+0x178/0x3c0
bitmap_zalloc+0x24/0x30
binder_open+0x14c/0xc10
[...]
Freed by task 449:
kfree+0x184/0x31c
binder_inc_ref_for_node+0xb44/0xe44
binder_transaction+0x29b4/0x7fbc
binder_thread_write+0x1708/0x442c
binder_ioctl+0x1b50/0x2900
[...]
==================================================================
Fix this issue by marking proc->map NULL in dbitmap_free().
Cc: stable@vger.kernel.org
Fixes: 15d9da3f818c ("binder: use bitmap for faster descriptor lookup")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Tiffany Yang <ynaffit@google.com>
Link: https://lore.kernel.org/r/20250915221248.3470154-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/dbitmap.h | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/android/dbitmap.h
+++ b/drivers/android/dbitmap.h
@@ -37,6 +37,7 @@ static inline void dbitmap_free(struct d
{
dmap->nbits = 0;
kfree(dmap->map);
+ dmap->map = NULL;
}
/* Returns the nbits that a dbitmap can shrink to, 0 if not possible. */
next prev parent reply other threads:[~2025-10-10 13:17 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 13:15 [PATCH 6.17 00/26] 6.17.2-rc1 review Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 01/26] drm/amdgpu: Enable MES lr_compute_wa by default Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 02/26] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 03/26] Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 04/26] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 05/26] wifi: rtl8xxxu: " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 06/26] rust: drm: fix `srctree/` links Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 07/26] rust: block: " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 08/26] rust: pci: fix incorrect platform reference in PCI driver probe doc comment Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 09/26] rust: pci: fix incorrect platform reference in PCI driver unbind " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 10/26] serial: qcom-geni: Fix blocked task Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 11/26] nvmem: layouts: fix automatic module loading Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 12/26] drivers/misc/amd-sbi/Kconfig: select REGMAP_I2C Greg Kroah-Hartman
2025-10-10 13:16 ` Greg Kroah-Hartman [this message]
2025-10-10 13:16 ` [PATCH 6.17 14/26] serial: stm32: allow selecting console when the driver is module Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 15/26] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 16/26] staging: axis-fifo: fix TX handling on copy_from_user() failure Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 17/26] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 18/26] driver core: faux: Set power.no_pm for faux devices Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 19/26] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 20/26] Revert "crypto: testmgr - desupport SHA-1 for FIPS 140" Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 21/26] crypto: zstd - Fix compression bug caused by truncation Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 22/26] crypto: rng - Ensure set_ent is always present Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 23/26] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 24/26] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 25/26] f2fs: fix to do sanity check on node footer for non inode dnode Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 26/26] ring buffer: Propagate __rb_map_vma return value to caller Greg Kroah-Hartman
2025-10-10 15:14 ` [PATCH 6.17 00/26] 6.17.2-rc1 review Ronald Warsow
2025-10-10 17:15 ` Jon Hunter
2025-10-10 19:51 ` Justin Forbes
2025-10-10 22:20 ` Shuah Khan
2025-10-11 8:39 ` Naresh Kamboju
2025-10-11 10:49 ` Mark Brown
2025-10-11 11:31 ` Ron Economos
2025-10-11 12:26 ` Takeshi Ogasawara
2025-10-11 16:55 ` Brett A C Sheffield
2025-10-11 21:59 ` Peter Schneider
2025-10-12 9:42 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251010131331.693737314@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aliceryhl@google.com \
--cc=cmllamas@google.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=ynaffit@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.