From: Greg KH <gregkh@linuxfoundation.org>
To: Todd Kjos <tkjos@google.com>
Cc: "Dan Carpenter" <dan.carpenter@oracle.com>,
"Martijn Coenen" <maco@android.com>,
"open list:ANDROID DRIVERS" <devel@driverdev.osuosl.org>,
LKML <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Martijn Coenen" <maco@google.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
kernel-team@android.com,
"Christian Brauner" <christian@brauner.io>
Subject: Re: [PATCH] binder: make sure fd closes complete
Date: Tue, 14 Sep 2021 09:01:43 +0200 [thread overview]
Message-ID: <YUBI1wmzXpJCH3ZS@kroah.com> (raw)
In-Reply-To: <CAHRSSEyDDmGRrc_paxJ2-Gkx=qMhKKhTr_Mpj-DiL8L1gcm5VA@mail.gmail.com>
On Fri, Sep 03, 2021 at 12:38:26PM -0700, Todd Kjos wrote:
> On Fri, Sep 3, 2021 at 1:06 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > On Thu, Sep 02, 2021 at 08:35:35AM -0700, Todd Kjos wrote:
> > > On Tue, Aug 31, 2021 at 12:24 AM Martijn Coenen <maco@android.com> wrote:
> > > >
> > > > On Mon, Aug 30, 2021 at 9:51 PM 'Todd Kjos' via kernel-team
> > > > <kernel-team@android.com> wrote:
> > > > >
> > > > > During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
> > > > > cleanup may close 1 or more fds. The close operations are
> > > > > completed using the task work mechanism -- which means the thread
> > > > > needs to return to userspace or the file object may never be
> > > > > dereferenced -- which can lead to hung processes.
> > > > >
> > > > > Force the binder thread back to userspace if an fd is closed during
> > > > > BC_FREE_BUFFER handling.
> > > > >
> > > > > Signed-off-by: Todd Kjos <tkjos@google.com>
> > > > Reviewed-by: Martijn Coenen <maco@android.com>
> > >
> > > Please also add to stable releases 5.4 and later.
> >
> > It would be better if this had a fixes tag so we knew which is the first
> > buggy commit.
> >
> > There was a long Project Zero article about the Bad Binder exploit
> > because commit f5cb779ba163 ("ANDROID: binder: remove waitqueue when
> > thread exits.") was marked as # 4.14 but it didn't have a Fixes tag and
> > the actual buggy commit was in 4.9.
>
> Good point Dan. I should have included a Fixes tag. Here is the tag
> (issue introduced in 4.20):
>
> Fixes: 80cd795630d6 ("binder: fix use-after-free due to ksys_close()
> during fdget()")
>
> Greg- would you like me to send a v2 with the Fixes tag and CC'ing
> stable appropriately?
I've added it to the commit when I added it to my tree, no need to
resend.
thanks,
greg k-h
prev parent reply other threads:[~2021-09-14 7:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-30 19:51 [PATCH] binder: make sure fd closes complete Todd Kjos
2021-08-31 7:24 ` Christian Brauner
2021-08-31 7:24 ` Martijn Coenen
2021-09-02 15:35 ` Todd Kjos
2021-09-02 16:11 ` Greg KH
2021-09-03 8:06 ` Dan Carpenter
2021-09-03 19:38 ` Todd Kjos
2021-09-14 7:01 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YUBI1wmzXpJCH3ZS@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=christian@brauner.io \
--cc=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=maco@google.com \
--cc=stable@vger.kernel.org \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.