* [PATCH RESEND] android: binder: Sanity check at binder ioctl
@ 2016-01-19 3:45 Chen Feng
2016-01-19 7:33 ` Greg KH
0 siblings, 1 reply; 5+ messages in thread
From: Chen Feng @ 2016-01-19 3:45 UTC (permalink / raw)
To: puck.chen, gregkh, arve, riandrews, devel, linux-kernel,
yudongbin, saberlily.xia, suzhuangluan, kong.kongxinwei, xuyiping,
z.liuxinliang, weidong2, w.f, puck.chen, shimingxing, oliver.fu,
albert.lubing, chenxiang9, liuzixing, haojian.zhuang, zhaojunmin,
wangjing6, rientjes, john.stultz
Cc: qijiwen, peter.panshilin, dan.zhao, linuxarm, dev
When a process fork a child process, we should not allow the
child process use the binder which opened by parent process.
But if the binder-object creater is a thread of one process who exit,
the other thread can also use this binder-object normally.
We can distinguish this by the member proc->tsk->mm.
If the thread exit the tsk->mm will be NULL.
proc->tsk->mm != current->mm && proc->tsk->mm
So only allow the shared mm_struct to use the same binder-object and
check the existence of mm_struct.
Signed-off-by: Chen Feng <puck.chen@hisilicon.com>
Signed-off-by: Wei Dong <weidong2@hisilicon.com>
Signed-off-by: Junmin Zhao <zhaojunmin@huawei.com>
Reviewed-by: Zhuangluan Su <suzhuangluan@hisilicon.com>
---
drivers/android/binder.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index a39e85f..279063c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2736,6 +2736,8 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
/*pr_info("binder_ioctl: %d:%d %x %lx\n",
proc->pid, current->pid, cmd, arg);*/
+ if (unlikely(proc->tsk->mm != current->mm && proc->tsk->mm))
+ return -EINVAL;
trace_binder_ioctl(cmd, arg);
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] android: binder: Sanity check at binder ioctl
2016-01-19 3:45 [PATCH RESEND] android: binder: Sanity check at binder ioctl Chen Feng
@ 2016-01-19 7:33 ` Greg KH
2016-01-19 7:49 ` chenfeng
0 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2016-01-19 7:33 UTC (permalink / raw)
To: Chen Feng
Cc: arve, riandrews, devel, linux-kernel, yudongbin, saberlily.xia,
suzhuangluan, kong.kongxinwei, xuyiping, z.liuxinliang, weidong2,
w.f, puck.chen, shimingxing, oliver.fu, albert.lubing, chenxiang9,
liuzixing, haojian.zhuang, zhaojunmin, wangjing6, rientjes,
john.stultz, dan.zhao, dev, peter.panshilin, qijiwen, linuxarm
On Tue, Jan 19, 2016 at 11:45:36AM +0800, Chen Feng wrote:
> When a process fork a child process, we should not allow the
> child process use the binder which opened by parent process.
>
> But if the binder-object creater is a thread of one process who exit,
> the other thread can also use this binder-object normally.
> We can distinguish this by the member proc->tsk->mm.
> If the thread exit the tsk->mm will be NULL.
>
> proc->tsk->mm != current->mm && proc->tsk->mm
>
> So only allow the shared mm_struct to use the same binder-object and
> check the existence of mm_struct.
>
> Signed-off-by: Chen Feng <puck.chen@hisilicon.com>
> Signed-off-by: Wei Dong <weidong2@hisilicon.com>
> Signed-off-by: Junmin Zhao <zhaojunmin@huawei.com>
> Reviewed-by: Zhuangluan Su <suzhuangluan@hisilicon.com>
> ---
> drivers/android/binder.c | 2 ++
> 1 file changed, 2 insertions(+)
Why resend? What changed from the previous version?
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] android: binder: Sanity check at binder ioctl
2016-01-19 7:33 ` Greg KH
@ 2016-01-19 7:49 ` chenfeng
2016-01-19 8:35 ` Greg KH
0 siblings, 1 reply; 5+ messages in thread
From: chenfeng @ 2016-01-19 7:49 UTC (permalink / raw)
To: Greg KH
Cc: arve, riandrews, devel, linux-kernel, yudongbin, saberlily.xia,
suzhuangluan, kong.kongxinwei, xuyiping, z.liuxinliang, weidong2,
w.f, puck.chen, shimingxing, oliver.fu, albert.lubing, chenxiang9,
liuzixing, haojian.zhuang, zhaojunmin, wangjing6, rientjes,
john.stultz, dan.zhao, dev, peter.panshilin, qijiwen, linuxarm
On 2016/1/19 15:33, Greg KH wrote:
> On Tue, Jan 19, 2016 at 11:45:36AM +0800, Chen Feng wrote:
>> When a process fork a child process, we should not allow the
>> child process use the binder which opened by parent process.
>>
>> But if the binder-object creater is a thread of one process who exit,
>> the other thread can also use this binder-object normally.
>> We can distinguish this by the member proc->tsk->mm.
>> If the thread exit the tsk->mm will be NULL.
>>
>> proc->tsk->mm != current->mm && proc->tsk->mm
>>
>> So only allow the shared mm_struct to use the same binder-object and
>> check the existence of mm_struct.
>>
>> Signed-off-by: Chen Feng <puck.chen@hisilicon.com>
>> Signed-off-by: Wei Dong <weidong2@hisilicon.com>
>> Signed-off-by: Junmin Zhao <zhaojunmin@huawei.com>
>> Reviewed-by: Zhuangluan Su <suzhuangluan@hisilicon.com>
>> ---
>> drivers/android/binder.c | 2 ++
>> 1 file changed, 2 insertions(+)
>
> Why resend? What changed from the previous version?
>
My fault, it's my error commit.
mistake the current->mm with current->tsk->mm.
The robot-compile finds out this error.
> greg k-h
>
> .
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] android: binder: Sanity check at binder ioctl
2016-01-19 7:49 ` chenfeng
@ 2016-01-19 8:35 ` Greg KH
2016-01-19 8:56 ` chenfeng
0 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2016-01-19 8:35 UTC (permalink / raw)
To: chenfeng
Cc: arve, riandrews, devel, linux-kernel, yudongbin, saberlily.xia,
suzhuangluan, kong.kongxinwei, xuyiping, z.liuxinliang, weidong2,
w.f, puck.chen, shimingxing, oliver.fu, albert.lubing, chenxiang9,
liuzixing, haojian.zhuang, zhaojunmin, wangjing6, rientjes,
john.stultz, dan.zhao, dev, peter.panshilin, qijiwen, linuxarm
On Tue, Jan 19, 2016 at 03:49:27PM +0800, chenfeng wrote:
>
>
> On 2016/1/19 15:33, Greg KH wrote:
> > On Tue, Jan 19, 2016 at 11:45:36AM +0800, Chen Feng wrote:
> >> When a process fork a child process, we should not allow the
> >> child process use the binder which opened by parent process.
> >>
> >> But if the binder-object creater is a thread of one process who exit,
> >> the other thread can also use this binder-object normally.
> >> We can distinguish this by the member proc->tsk->mm.
> >> If the thread exit the tsk->mm will be NULL.
> >>
> >> proc->tsk->mm != current->mm && proc->tsk->mm
> >>
> >> So only allow the shared mm_struct to use the same binder-object and
> >> check the existence of mm_struct.
> >>
> >> Signed-off-by: Chen Feng <puck.chen@hisilicon.com>
> >> Signed-off-by: Wei Dong <weidong2@hisilicon.com>
> >> Signed-off-by: Junmin Zhao <zhaojunmin@huawei.com>
> >> Reviewed-by: Zhuangluan Su <suzhuangluan@hisilicon.com>
> >> ---
> >> drivers/android/binder.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >
> > Why resend? What changed from the previous version?
> >
> My fault, it's my error commit.
> mistake the current->mm with current->tsk->mm.
> The robot-compile finds out this error.
Then please make it a 'v2' patch, and say what you changed, otherwise
I'll assume it's identical to the first patch you sent in.
And how did you test the first patch if it couldn't even compile?
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] android: binder: Sanity check at binder ioctl
2016-01-19 8:35 ` Greg KH
@ 2016-01-19 8:56 ` chenfeng
0 siblings, 0 replies; 5+ messages in thread
From: chenfeng @ 2016-01-19 8:56 UTC (permalink / raw)
To: Greg KH
Cc: arve, riandrews, devel, linux-kernel, yudongbin, saberlily.xia,
suzhuangluan, kong.kongxinwei, xuyiping, z.liuxinliang, weidong2,
w.f, puck.chen, shimingxing, oliver.fu, albert.lubing, chenxiang9,
liuzixing, haojian.zhuang, zhaojunmin, wangjing6, rientjes,
john.stultz, dan.zhao, dev, peter.panshilin, qijiwen, linuxarm
On 2016/1/19 16:35, Greg KH wrote:
> On Tue, Jan 19, 2016 at 03:49:27PM +0800, chenfeng wrote:
>>
>>
>> On 2016/1/19 15:33, Greg KH wrote:
>>> On Tue, Jan 19, 2016 at 11:45:36AM +0800, Chen Feng wrote:
>>>> When a process fork a child process, we should not allow the
>>>> child process use the binder which opened by parent process.
>>>>
>>>> But if the binder-object creater is a thread of one process who exit,
>>>> the other thread can also use this binder-object normally.
>>>> We can distinguish this by the member proc->tsk->mm.
>>>> If the thread exit the tsk->mm will be NULL.
>>>>
>>>> proc->tsk->mm != current->mm && proc->tsk->mm
>>>>
>>>> So only allow the shared mm_struct to use the same binder-object and
>>>> check the existence of mm_struct.
>>>>
>>>> Signed-off-by: Chen Feng <puck.chen@hisilicon.com>
>>>> Signed-off-by: Wei Dong <weidong2@hisilicon.com>
>>>> Signed-off-by: Junmin Zhao <zhaojunmin@huawei.com>
>>>> Reviewed-by: Zhuangluan Su <suzhuangluan@hisilicon.com>
>>>> ---
>>>> drivers/android/binder.c | 2 ++
>>>> 1 file changed, 2 insertions(+)
>>>
>>> Why resend? What changed from the previous version?
>>>
>> My fault, it's my error commit.
>> mistake the current->mm with current->tsk->mm.
>> The robot-compile finds out this error.
>
> Then please make it a 'v2' patch, and say what you changed, otherwise
> I'll assume it's identical to the first patch you sent in.
>
> And how did you test the first patch if it couldn't even compile?
>
It works well on our platform with hundreds of mobile phone.
Since our working branch is not mainline,and the patch is send for mainline
review.
I made a mistake while making the patch. I will send a new V2 for this patch.
Thanks!
> greg k-h
>
> .
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-19 8:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-19 3:45 [PATCH RESEND] android: binder: Sanity check at binder ioctl Chen Feng
2016-01-19 7:33 ` Greg KH
2016-01-19 7:49 ` chenfeng
2016-01-19 8:35 ` Greg KH
2016-01-19 8:56 ` chenfeng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).