Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6bf7d3c5 authored by Todd Kjos's avatar Todd Kjos Committed by Greg Kroah-Hartman
Browse files

binder: fix handling of misaligned binder object 



commit 26528be6720bb40bc8844e97ee73a37e530e9c5e upstream.

Fixes crash found by syzbot:
kernel BUG at drivers/android/binder_alloc.c:LINE! (2)

Reported-and-tested-by: default avatar <syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com>
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Reviewed-by: default avatarJoel Fernandes (Google) <joel@joelfernandes.org>
Cc: stable <stable@vger.kernel.org> # 5.0, 4.19, 4.14
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8c37f7c2

drivers/android/binder_alloc.c

+8 −10
Original line number Diff line number Diff line
@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(struct list_head *item, 


	index = page - alloc->pages;

	page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;

	vma = binder_alloc_get_vma(alloc);

	if (vma) {

		if (!mmget_not_zero(alloc->vma_vm_mm))

			goto err_mmget;



	mm = alloc->vma_vm_mm;

	if (!mmget_not_zero(mm))

		goto err_mmget;

	if (!down_write_trylock(&mm->mmap_sem))

		goto err_down_write_mmap_sem_failed;

	}

	vma = binder_alloc_get_vma(alloc);



	list_lru_isolate(lru, item);

	spin_unlock(lock);
@@ -978,10 +977,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, 
			       PAGE_SIZE);



		trace_binder_unmap_user_end(alloc, index);



	}

	up_write(&mm->mmap_sem);

	mmput(mm);

	}



	trace_binder_unmap_kernel_start(alloc, index);