From: Carlos Llamas <cmllamas@google.com>
To: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Christian Brauner" <brauner@kernel.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Alice Ryhl" <aliceryhl@google.com>
Cc: linux-kernel@vger.kernel.org, kernel-team@android.com,
syzkaller-bugs@googlegroups.com, stable@vger.kernel.org,
syzbot+3dae065ca76952a67257@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] binder: fix descriptor lookup for context manager
Date: Mon, 22 Jul 2024 15:50:07 +0000 [thread overview]
Message-ID: <Zp5_r40tsnm0AluS@google.com> (raw)
In-Reply-To: <20240722150512.4192473-1-cmllamas@google.com>
On Mon, Jul 22, 2024 at 03:05:11PM +0000, Carlos Llamas wrote:
> In commit 15d9da3f818c ("binder: use bitmap for faster descriptor
> lookup"), it was incorrectly assumed that references to the context
> manager node should always get descriptor zero assigned to them.
>
> However, if the context manager dies and a new process takes its place,
> then assigning descriptor zero to the new context manager might lead to
> collisions, as there could still be references to the older node. This
> issue was reported by syzbot with the following trace:
>
> kernel BUG at drivers/android/binder.c:1173!
> Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 1 PID: 447 Comm: binder-util Not tainted 6.10.0-rc6-00348-g31643d84b8c3 #10
> Hardware name: linux,dummy-virt (DT)
> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : binder_inc_ref_for_node+0x500/0x544
> lr : binder_inc_ref_for_node+0x1e4/0x544
> sp : ffff80008112b940
> x29: ffff80008112b940 x28: ffff0e0e40310780 x27: 0000000000000000
> x26: 0000000000000001 x25: ffff0e0e40310738 x24: ffff0e0e4089ba34
> x23: ffff0e0e40310b00 x22: ffff80008112bb50 x21: ffffaf7b8f246970
> x20: ffffaf7b8f773f08 x19: ffff0e0e4089b800 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: 000000002de4aa60
> x14: 0000000000000000 x13: 2de4acf000000000 x12: 0000000000000020
> x11: 0000000000000018 x10: 0000000000000020 x9 : ffffaf7b90601000
> x8 : ffff0e0e48739140 x7 : 0000000000000000 x6 : 000000000000003f
> x5 : ffff0e0e40310b28 x4 : 0000000000000000 x3 : ffff0e0e40310720
> x2 : ffff0e0e40310728 x1 : 0000000000000000 x0 : ffff0e0e40310710
> Call trace:
> binder_inc_ref_for_node+0x500/0x544
> binder_transaction+0xf68/0x2620
> binder_thread_write+0x5bc/0x139c
> binder_ioctl+0xef4/0x10c8
> [...]
>
> This patch adds back the previous behavior of assigning the next
> non-zero descriptor if references to previous context managers still
> exist. It amends both strategies, the newer dbitmap code and also the
> legacy slow_desc_lookup_olocked(), by allowing them to start looking
> for available descriptors at a given offset.
>
> Fixes: 15d9da3f818c ("binder: use bitmap for faster descriptor lookup")
> Cc: stable@vger.kernel.org
> Reported-and-tested-by: syzbot+3dae065ca76952a67257@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/000000000000c1c0a0061d1e6979@google.com/
> Reviewed-by: Alice Ryhl <aliceryhl@google.com>
> Signed-off-by: Carlos Llamas <cmllamas@google.com>
> ---
Sorry, I forgot to feed --notes to git send-email and the list of
changes in this v2 patch was missed. Here it is:
Notes:
v2: updated comment about BIT(0) per Alice's feedback
collect tags
prev parent reply other threads:[~2024-07-22 15:50 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-13 10:25 [syzbot] [kernel?] kernel BUG in binder_inc_ref_for_node syzbot
2024-07-13 13:21 ` Hillf Danton
2024-07-13 13:56 ` syzbot
2024-07-15 20:23 ` Carlos Llamas
2024-07-15 23:52 ` syzbot
2024-07-16 4:28 ` [PATCH] binder: fix descriptor lookup for context manager Carlos Llamas
2024-07-16 17:40 ` Todd Kjos
2024-07-16 18:48 ` Carlos Llamas
2024-07-16 19:00 ` Carlos Llamas
2024-07-22 10:57 ` Alice Ryhl
2024-07-22 15:39 ` Carlos Llamas
2024-07-22 11:30 ` Alice Ryhl
2024-07-22 15:05 ` [PATCH v2] " Carlos Llamas
2024-07-22 15:50 ` Carlos Llamas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zp5_r40tsnm0AluS@google.com \
--to=cmllamas@google.com \
--cc=aliceryhl@google.com \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
--cc=syzbot+3dae065ca76952a67257@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.