From: Simon Horman <horms@kernel.org>
To: Li Li <dualli@chromium.org>
Cc: dualli@google.com, corbet@lwn.net, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
donald.hunter@gmail.com, gregkh@linuxfoundation.org,
arve@android.com, tkjos@android.com, maco@android.com,
joel@joelfernandes.org, brauner@kernel.org, cmllamas@google.com,
surenb@google.com, omosnace@redhat.com, shuah@kernel.org,
arnd@arndb.de, masahiroy@kernel.org, bagasdotme@gmail.com,
tweek@google.com, paul@paul-moore.com,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
netdev@vger.kernel.org, selinux@vger.kernel.org,
linux-security-module@vger.kernel.org, hridya@google.com,
smoreland@google.com, ynaffit@google.com,
kernel-team@android.com
Subject: Re: [PATCH RESEND v17 2/3] binder: report txn errors via generic netlink
Date: Mon, 21 Apr 2025 16:17:13 +0100 [thread overview]
Message-ID: <20250421151713.GP2789685@horms.kernel.org> (raw)
In-Reply-To: <20250417002005.2306284-3-dualli@chromium.org>
On Wed, Apr 16, 2025 at 05:20:03PM -0700, Li Li wrote:
> From: Li Li <dualli@google.com>
>
> Introduce generic netlink messages into the binder driver so that the
> Linux/Android system administration processes can listen to important
> events and take corresponding actions, like stopping a broken app from
> attacking the OS by sending huge amount of spamming binder transactions.
>
> The binder netlink sources and headers are automatically generated from
> the corresponding binder netlink YAML spec. Don't modify them directly.
>
> Signed-off-by: Li Li <dualli@google.com>
Hi Li Li,
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
...
> static void binder_transaction(struct binder_proc *proc,
> struct binder_thread *thread,
> struct binder_transaction_data *tr, int reply,
> @@ -3683,10 +3764,14 @@ static void binder_transaction(struct binder_proc *proc,
> return_error_line = __LINE__;
> goto err_copy_data_failed;
> }
> - if (t->buffer->oneway_spam_suspect)
> + if (t->buffer->oneway_spam_suspect) {
> tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
> - else
> + if (binder_netlink_enabled(proc, BINDER_FLAG_SPAM))
> + binder_netlink_report(context, BR_ONEWAY_SPAM_SUSPECT,
> + reply, t);
> + } else {
> tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
> + }
> t->work.type = BINDER_WORK_TRANSACTION;
>
> if (reply) {
> @@ -3736,8 +3821,12 @@ static void binder_transaction(struct binder_proc *proc,
> * process and is put in a pending queue, waiting for the target
> * process to be unfrozen.
> */
> - if (return_error == BR_TRANSACTION_PENDING_FROZEN)
> + if (return_error == BR_TRANSACTION_PENDING_FROZEN) {
> tcomplete->type = BINDER_WORK_TRANSACTION_PENDING;
> + if (binder_netlink_enabled(proc, BINDER_FLAG_ASYNC_FROZEN))
> + binder_netlink_report(context, return_error,
> + reply, t);
> + }
> binder_enqueue_thread_work(thread, tcomplete);
> if (return_error &&
> return_error != BR_TRANSACTION_PENDING_FROZEN)
> @@ -3799,6 +3888,10 @@ static void binder_transaction(struct binder_proc *proc,
The code preceding this hunk looks like this:
err_alloc_tcomplete_failed:
if (trace_binder_txn_latency_free_enabled())
binder_txn_latency_free(t);
kfree(t);
binder_stats_deleted(BINDER_STAT_TRANSACTION);
err_alloc_t_failed:
err_bad_todo_list:
err_bad_call_stack:
err_empty_call_stack:
err_dead_binder:
err_invalid_target_handle:
if (target_node) {
binder_dec_node(target_node, 1, 0);
binder_dec_node_tmpref(target_node);
}
1. The labels err_bad_todo_list, err_bad_call_stack,
err_empty_call_stack, and err_invalid_target_handle may
be jumped to before t is initialised.
2. In the err_alloc_tcomplete_failed label t is kfree'd.
However, the call to binder_netlink_report below will dereference t.
Flagged by Smatch.
> binder_dec_node_tmpref(target_node);
> }
>
> + if (binder_netlink_enabled(proc, BINDER_FLAG_FAILED))
> + binder_netlink_report(context, return_error,
> + reply, t);
> +
> binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
> "%d:%d transaction %s to %d:%d failed %d/%d/%d, code %u size %lld-%lld line %d\n",
> proc->pid, thread->pid, reply ? "reply" :
...
> +/**
> + * binder_nl_report_setup_doit() - netlink .doit handler
> + * @skb: the metadata struct passed from netlink driver
> + * @info: the generic netlink struct passed from netlink driver
> + *
> + * Implements the .doit function to process binder netlink commands.
> + */
> +int binder_nl_report_setup_doit(struct sk_buff *skb, struct genl_info *info)
> +{
> + struct binder_context *context = NULL;
> + struct binder_device *device;
> + struct binder_proc *proc;
> + u32 flags, pid;
> + bool found;
> + void *hdr;
> + int ret;
> +
> + ret = security_binder_setup_report(current_cred());
> + if (ret < 0) {
> + NL_SET_ERR_MSG(info->extack, "Permission denied");
> + return ret;
> + }
> +
> + if (nla_len(info->attrs[BINDER_A_CMD_CONTEXT])) {
> + /* Search the specified binder context */
> + hlist_for_each_entry(device, &binder_devices, hlist) {
> + if (!nla_strcmp(info->attrs[BINDER_A_CMD_CONTEXT],
> + device->context.name)) {
> + context = &device->context;
> + break;
> + }
> + }
> +
> + if (!context) {
> + NL_SET_ERR_MSG(info->extack, "Invalid binder context");
> + return -EINVAL;
> + }
> + }
> +
> + pid = nla_get_u32(info->attrs[BINDER_A_CMD_PID]);
> + flags = nla_get_u32(info->attrs[BINDER_A_CMD_FLAGS]);
> +
> + if (!pid) {
> + if (!context) {
> + NL_SET_ERR_MSG(info->extack,
> + "Invalid binder context and pid");
> + return -EINVAL;
> + }
> +
> + /* Set the global flags for the whole binder context */
> + context->report_flags = flags;
> + } else {
> + /* Set the per-process flags */
> + found = false;
> + mutex_lock(&binder_procs_lock);
> + hlist_for_each_entry(proc, &binder_procs, proc_node) {
> + if (proc->pid == pid
> + && (proc->context == context || !context)) {
> + proc->report_flags = flags;
> + found = true;
> + }
> + }
> + mutex_unlock(&binder_procs_lock);
> +
> + if (!found) {
> + NL_SET_ERR_MSG_FMT(info->extack,
> + "Invalid binder report pid %u",
> + pid);
> + return -EINVAL;
> + }
> + }
Within the above conditions it is assumed that context may be NULL.
> +
> + skb = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_KERNEL);
> + if (!skb) {
> + pr_err("Failed to alloc binder netlink reply message\n");
> + return -ENOMEM;
> + }
> +
> + hdr = genlmsg_iput(skb, info);
> + if (!hdr)
> + goto free_skb;
> +
> + if (nla_put_string(skb, BINDER_A_CMD_CONTEXT, context->name) ||
But here context is dereferenced unconditionally.
This does not seem consistent.
Flagged by Smatch.
> + nla_put_u32(skb, BINDER_A_CMD_PID, pid) ||
> + nla_put_u32(skb, BINDER_A_CMD_FLAGS, flags))
> + goto cancel_skb;
> +
> + genlmsg_end(skb, hdr);
> +
> + if (genlmsg_reply(skb, info)) {
> + pr_err("Failed to send binder netlink reply message\n");
> + return -EFAULT;
> + }
> +
> + return 0;
> +
> +cancel_skb:
> + pr_err("Failed to add reply attributes to binder netlink message\n");
> + genlmsg_cancel(skb, hdr);
> +free_skb:
> + pr_err("Free binder netlink reply message on error\n");
> + nlmsg_free(skb);
> + ret = -EMSGSIZE;
> +
> + return ret;
> +}
...
next prev parent reply other threads:[~2025-04-21 15:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-17 0:20 [PATCH RESEND v17 0/3] binder: report txn errors via generic netlink Li Li
2025-04-17 0:20 ` [PATCH RESEND v17 1/3] lsm, selinux: Add setup_report permission to binder Li Li
2025-04-21 15:18 ` Simon Horman
2025-04-22 7:52 ` Li Li
2025-05-20 21:15 ` [PATCH " Paul Moore
2025-05-21 4:13 ` Carlos Llamas
2025-04-17 0:20 ` [PATCH RESEND v17 2/3] binder: report txn errors via generic netlink Li Li
2025-04-21 15:17 ` Simon Horman [this message]
2025-04-22 7:50 ` Li Li
2025-04-17 0:20 ` [PATCH RESEND v17 3/3] binder: transaction report binder_features flag Li Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250421151713.GP2789685@horms.kernel.org \
--to=horms@kernel.org \
--cc=arnd@arndb.de \
--cc=arve@android.com \
--cc=bagasdotme@gmail.com \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=dualli@chromium.org \
--cc=dualli@google.com \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hridya@google.com \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=kuba@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maco@android.com \
--cc=masahiroy@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=pabeni@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=smoreland@google.com \
--cc=surenb@google.com \
--cc=tkjos@android.com \
--cc=tweek@google.com \
--cc=ynaffit@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).