From: Carlos Llamas <cmllamas@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Christian Brauner" <brauner@kernel.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Liam Howlett" <liam.howlett@oracle.com>,
kernel-team@android.com,
syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com,
syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com,
stable@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference
Date: Mon, 29 Aug 2022 21:20:42 +0000 [thread overview]
Message-ID: <Yw0tqreGRPOwyAaX@google.com> (raw)
In-Reply-To: <20220829133452.cd4d9abe858c940126557c41@linux-foundation.org>
On Mon, Aug 29, 2022 at 01:34:52PM -0700, Andrew Morton wrote:
> On Mon, 29 Aug 2022 20:12:48 +0000 Carlos Llamas <cmllamas@google.com> wrote:
>
> > Syzbot reported a couple issues introduced by commit 44e602b4e52f
> > ("binder_alloc: add missing mmap_lock calls when using the VMA"), in
> > which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not
> > been initialized yet.
> >
> > This can happen if a binder_proc receives a transaction without having
> > previously called mmap() to setup the binder_proc->alloc space in [1].
> > Also, a similar issue occurs via binder_alloc_print_pages() when we try
> > to dump the debugfs binder stats file in [2].
>
> Thanks. I assume you'll be merging all these into mainline?
Yes, I believe Greg will pick up these patches into his char-misc tree.
>
> >
> > Fixes: 44e602b4e52f ("binder_alloc: add missing mmap_lock calls when using the VMA")
> > Reported-by: syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com
> > Reported-by: syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com
> > Cc: <stable@vger.kernel.org> # v5.15+
>
> 44e602b4e52f is only present in 6.0-rcX?
Right, it was just added to the stable queue earlier today:
https://lore.kernel.org/all/20220829105814.857786586@linuxfoundation.org/
https://lore.kernel.org/all/20220829105809.855177179@linuxfoundation.org/
next prev parent reply other threads:[~2022-08-29 21:20 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-29 20:12 [PATCH 0/7] fix null-ptr-deref in binder_alloc and others Carlos Llamas
2022-08-29 20:12 ` [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference Carlos Llamas
2022-08-29 20:34 ` Andrew Morton
2022-08-29 21:20 ` Carlos Llamas [this message]
2022-08-30 19:06 ` Liam Howlett
2022-08-30 19:40 ` Carlos Llamas
2022-08-30 20:30 ` Liam Howlett
2022-08-30 22:26 ` Todd Kjos
2022-08-29 20:12 ` [PATCH 2/7] binder: fix trivial kernel-doc typo Carlos Llamas
2022-08-30 7:53 ` Christian Brauner
2022-08-30 22:20 ` Todd Kjos
2022-08-29 20:12 ` [PATCH 3/7] binder: rename alloc->vma_vm_mm to alloc->mm Carlos Llamas
2022-08-30 7:56 ` Christian Brauner
2022-08-30 22:20 ` Todd Kjos
2022-08-29 20:12 ` [PATCH 4/7] binder: remove binder_alloc_set_vma() Carlos Llamas
2022-08-30 18:57 ` Liam Howlett
2022-08-30 21:08 ` Carlos Llamas
2022-08-29 20:12 ` [PATCH 5/7] binder: remove unused binder_alloc->buffer_free Carlos Llamas
2022-08-30 7:57 ` Christian Brauner
2022-08-30 22:21 ` Todd Kjos
2022-08-29 20:12 ` [PATCH 6/7] binder: fix binder_alloc kernel-doc warnings Carlos Llamas
2022-08-30 7:53 ` Christian Brauner
2022-08-30 22:22 ` Todd Kjos
2022-08-29 20:12 ` [PATCH 7/7] binderfs: remove unused INTSTRLEN macro Carlos Llamas
2022-08-30 7:53 ` Christian Brauner
2022-09-01 14:18 ` [PATCH 0/7] fix null-ptr-deref in binder_alloc and others Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yw0tqreGRPOwyAaX@google.com \
--to=cmllamas@google.com \
--cc=akpm@linux-foundation.org \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=liam.howlett@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
--cc=syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com \
--cc=syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.