From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Martijn Coenen <maco@android.com>,
syzbot <syzkaller@googlegroups.com>
Subject: [PATCH 4.15 42/55] ANDROID: binder: remove waitqueue when thread exits.
Date: Fri, 2 Feb 2018 17:59:00 +0100 [thread overview]
Message-ID: <20180202140830.212435163@linuxfoundation.org> (raw)
In-Reply-To: <20180202140826.117602411@linuxfoundation.org>
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f upstream.
binder_poll() passes the thread->wait waitqueue that
can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT,
the waitqueue is freed, but it is never removed
from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup
code tries to access the waitlist, which results in
a use-after-free.
Prevent this by using POLLFREE when the thread exits.
Signed-off-by: Martijn Coenen <maco@android.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4302,6 +4302,18 @@ static int binder_thread_release(struct
if (t)
spin_lock(&t->lock);
}
+
+ /*
+ * If this thread used poll, make sure we remove the waitqueue
+ * from any epoll data structures holding it with POLLFREE.
+ * waitqueue_active() is safe to use here because we're holding
+ * the inner lock.
+ */
+ if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
+ waitqueue_active(&thread->wait)) {
+ wake_up_poll(&thread->wait, POLLHUP | POLLFREE);
+ }
+
binder_inner_proc_unlock(thread->proc);
if (send_reply)
next prev parent reply other threads:[~2018-02-02 16:59 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-02 16:58 [PATCH 4.15 00/55] 4.15.1-stable review Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 01/55] Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 02/55] tools/gpio: Fix build error with musl libc Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 03/55] gpio: stmpe: i2c transfer are forbiden in atomic context Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 04/55] gpio: Fix kernel stack leak to userspace Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 05/55] ALSA: hda - Reduce the suspend time consumption for ALC256 Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 06/55] crypto: ecdh - fix typo in KPP dependency of CRYPTO_ECDH Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 07/55] crypto: aesni - handle zero length dst buffer Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 08/55] crypto: aesni - fix typo in generic_gcmaes_decrypt Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 09/55] crypto: aesni - add wrapper for generic gcm(aes) Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 10/55] crypto: aesni - Fix out-of-bounds access of the data buffer in generic-gcm-aesni Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 11/55] crypto: aesni - Fix out-of-bounds access of the AAD " Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 12/55] crypto: inside-secure - fix hash when length is a multiple of a block Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 13/55] crypto: inside-secure - avoid unmapping DMA memory that was not mapped Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 14/55] crypto: sha3-generic - fixes for alignment and big endian operation Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 15/55] crypto: af_alg - whitelist mask and type Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 16/55] HID: wacom: EKR: ensure devres groups at higher indexes are released Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 17/55] HID: wacom: Fix reporting of touch toggle (WACOM_HID_WD_MUTE_DEVICE) events Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 18/55] power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 19/55] gpio: iop: " Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 20/55] gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 21/55] mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 22/55] igb: Free IRQs when device is hotplugged Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 23/55] ima/policy: fix parsing of fsuuid Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 24/55] scsi: aacraid: Fix udev inquiry race condition Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 25/55] scsi: aacraid: Fix hang in kdump Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 26/55] scsi: storvsc: missing error code in storvsc_probe() Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 27/55] staging: lustre: separate a connection destroy from free struct kib_conn Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 28/55] staging: ccree: NULLify backup_info when unused Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 29/55] staging: ccree: fix fips event irq handling build Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 30/55] tty: fix data race between tty_init_dev and flush of buf Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 31/55] usb: option: Add support for FS040U modem Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 32/55] USB: serial: pl2303: new device id for Chilitag Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 33/55] USB: cdc-acm: Do not log urb submission errors on disconnect Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 34/55] CDC-ACM: apply quirk for card reader Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 35/55] USB: serial: io_edgeport: fix possible sleep-in-atomic Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 36/55] usbip: prevent bind loops on devices attached to vhci_hcd Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 37/55] usbip: list: dont list " Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 38/55] USB: serial: simple: add Motorola Tetra driver Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 39/55] usb: f_fs: Prevent gadget unbind if it is already unbound Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 40/55] usb: uas: unconditionally bring back host after reset Greg Kroah-Hartman
2018-02-02 16:58 ` [PATCH 4.15 41/55] usb/gadget: Fix "high bandwidth" check in usb_gadget_ep_match_desc() Greg Kroah-Hartman
2018-02-02 16:59 ` Greg Kroah-Hartman [this message]
2018-02-02 16:59 ` [PATCH 4.15 43/55] android: binder: use VM_ALLOC to get vm area Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 44/55] mei: me: allow runtime pm for platform with D0i3 Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 45/55] serial: 8250_of: fix return code when probe function fails to get reset Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 46/55] serial: 8250_uniphier: fix error return code in uniphier_uart_probe() Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 47/55] serial: 8250_dw: Revert "Improve clock rate setting" Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 48/55] serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 49/55] spi: imx: do not access registers while clocks disabled Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 50/55] iio: adc: stm32: fix scan of multiple channels with DMA Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 51/55] iio: chemical: ccs811: Fix output of IIO_CONCENTRATION channels Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 52/55] test_firmware: fix missing unlock on error in config_num_requests_store() Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 53/55] Input: synaptics-rmi4 - unmask F03 interrupts when port is opened Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 54/55] Input: synaptics-rmi4 - do not delete interrupt memory too early Greg Kroah-Hartman
2018-02-02 16:59 ` [PATCH 4.15 55/55] x86/efi: Clarify that reset attack mitigation needs appropriate userspace Greg Kroah-Hartman
2018-02-02 22:17 ` [PATCH 4.15 00/55] 4.15.1-stable review Shuah Khan
2018-02-03 5:16 ` Greg Kroah-Hartman
2018-02-03 4:35 ` Dan Rue
2018-02-03 5:18 ` Greg Kroah-Hartman
2018-02-05 15:50 ` Milosz Wasilewski
2018-02-03 15:34 ` Guenter Roeck
2018-02-03 15:44 ` Greg Kroah-Hartman
2018-02-03 16:46 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180202140830.212435163@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).