From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com,
Martijn Coenen <maco@android.com>,
Mattias Nissler <mnissler@chromium.org>
Subject: [PATCH 4.4 24/36] ANDROID: binder: synchronize_rcu() when using POLLFREE.
Date: Sun, 6 Oct 2019 19:19:06 +0200 [thread overview]
Message-ID: <20191006171055.071482679@linuxfoundation.org> (raw)
In-Reply-To: <20191006171038.266461022@linuxfoundation.org>
From: Martijn Coenen <maco@android.com>
commit 5eeb2ca02a2f6084fc57ae5c244a38baab07033a upstream.
To prevent races with ep_remove_waitqueue() removing the
waitqueue at the same time.
Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14+
Signed-off-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2623,6 +2623,15 @@ static int binder_free_thread(struct bin
wake_up_poll(&thread->wait, POLLHUP | POLLFREE);
}
+ /*
+ * This is needed to avoid races between wake_up_poll() above and
+ * and ep_remove_waitqueue() called for other reasons (eg the epoll file
+ * descriptor being closed); ep_remove_waitqueue() holds an RCU read
+ * lock, so we can be sure it's done after calling synchronize_rcu().
+ */
+ if (thread->looper & BINDER_LOOPER_STATE_POLL)
+ synchronize_rcu();
+
if (send_reply)
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
binder_release_work(&thread->todo);
next prev parent reply other threads:[~2019-10-06 17:20 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-06 17:18 [PATCH 4.4 00/36] 4.4.196-stable review Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 01/36] video: ssd1307fb: Start page range at page_offset Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 02/36] gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 03/36] ipmi_si: Only schedule continuously in the thread in maintenance mode Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 04/36] clk: qoriq: Fix -Wunused-const-variable Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 05/36] clk: sirf: Dont reference clk_init_data after registration Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 06/36] powerpc/rtas: use device model APIs and serialization during LPM Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 07/36] powerpc/futex: Fix warning: oldval may be used uninitialized in this function Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 08/36] powerpc/pseries/mobility: use cond_resched when updating device tree Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 09/36] pinctrl: tegra: Fix write barrier placement in pmx_writel Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 10/36] powerpc/eeh: Clear stale EEH_DEV_NO_HANDLER flag Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 11/36] vfio_pci: Restore original state on release Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 12/36] powerpc/64s/exception: machine check use correct cfar for late handler Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 13/36] powerpc/pseries: correctly track irq state in default idle Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 14/36] scsi: core: Reduce memory required for SCSI logging Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 15/36] mfd: intel-lpss: Remove D3cold delay Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 16/36] ARM: 8898/1: mm: Dont treat faults reported from cache maintenance as writes Greg Kroah-Hartman
2019-10-06 17:18 ` [PATCH 4.4 17/36] HID: apple: Fix stuck function keys when using FN Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 18/36] security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 19/36] fat: work around race with userspaces read via blockdev while mounting Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 20/36] hypfs: Fix error number left in struct pointer member Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 21/36] ocfs2: wait for recovering done after direct unlock request Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 22/36] kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 23/36] ANDROID: binder: remove waitqueue when thread exits Greg Kroah-Hartman
2019-10-06 17:19 ` Greg Kroah-Hartman [this message]
2019-10-06 17:19 ` [PATCH 4.4 25/36] hso: fix NULL-deref on tty open Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 26/36] ipv6: drop incoming packets having a v4mapped source address Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 27/36] net: ipv4: avoid mixed n_redirects and rate_tokens usage Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 28/36] net: qlogic: Fix memory leak in ql_alloc_large_buffers Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 29/36] nfc: fix memory leak in llcp_sock_bind() Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 30/36] sch_dsmark: fix potential NULL deref in dsmark_init() Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 31/36] xen-netfront: do not use ~0U as error return value for xennet_fill_frags() Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 32/36] net/rds: Fix error handling in rds_ib_add_one() Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 33/36] sch_cbq: validate TCA_CBQ_WRROPT to avoid crash Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 34/36] Smack: Dont ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 35/36] smack: use GFP_NOFS while holding inode_smack::smk_lock Greg Kroah-Hartman
2019-10-06 17:19 ` [PATCH 4.4 36/36] NFC: fix attrs checks in netlink interface Greg Kroah-Hartman
2019-10-06 22:01 ` [PATCH 4.4 00/36] 4.4.196-stable review kernelci.org bot
2019-10-07 10:07 ` Jon Hunter
2019-10-07 12:53 ` Guenter Roeck
2019-10-07 14:49 ` Greg Kroah-Hartman
2019-10-07 22:36 ` Guenter Roeck
2019-10-08 5:14 ` Greg Kroah-Hartman
2019-10-07 23:07 ` Sasha Levin
2019-10-07 23:16 ` Guenter Roeck
2019-10-08 1:49 ` Sasha Levin
2019-10-08 3:13 ` Guenter Roeck
2019-10-07 14:31 ` Guenter Roeck
2019-10-07 16:37 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191006171055.071482679@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=mnissler@chromium.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).