This project is mirrored from Pull mirroring updated .
  1. 03 Aug, 2021 4 commits
    • Yangtao Li's avatar
      binder: remove BINDER_DEBUG_ENTRY() · 1ed959a6
      Yangtao Li authored
      We already have the DEFINE_SHOW_ATTRIBUTE.There is no need to define
      such a macro,so remove BINDER_DEBUG_ENTRY.
      Signed-off-by: default avatarYangtao Li <>
      Acked-by: default avatarTodd Kjos <>
      Reviewed-by: default avatarJoey Pabalinas <>
      Signed-off-by: default avatarGreg Kroah-Hartman <>
      (cherry picked from commit c13e0a5288195aadec1e53af7a48ea8dae971416)
    • Jens Axboe's avatar
      fs: move filp_close() outside of __close_fd_get_file() · c1437c6d
      Jens Axboe authored
      Just one caller of this, and just use filp_close() there manually.
      This is important to allow async close/removal of the fd.
      Signed-off-by: default avatarJens Axboe <>
      (cherry picked from commit 6e802a4ba056a6f2f51ac9d54eead3ed6f9829a2)
    • Todd Kjos's avatar
      binder: fix use-after-free due to ksys_close() during fdget() · 29043942
      Todd Kjos authored
      44d8047f1d8 ("binder: use standard functions to allocate fds")
      exposed a pre-existing issue in the binder driver.
      fdget() is used in ksys_ioctl() as a performance optimization.
      One of the rules associated with fdget() is that ksys_close() must
      not be called between the fdget() and the fdput(). There is a case
      where this requirement is not met in the binder driver which results
      in the reference count dropping to 0 when the device is still in
      use. This can result in use-after-free or other issues.
      If userpace has passed a file-descriptor for the binder driver using
      a BINDER_TYPE_FDA object, then kys_close() is called on it when
      handling a binder_ioctl(BC_FREE_BUFFER) command. This violates
      the assumptions for using fdget().
      The problem is fixed by deferring the close using task_work_add(). A
      new variant of __close_fd() was created that returns a struct file
      with a reference. The fput() is deferred instead of using ksys_close().
      Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds")
      Suggested-by: default avatarAl Viro <>
      Signed-off-by: default avatarTodd Kjos <>
      Cc: stable <>
      Signed-off-by: default avatarGreg Kroah-Hartman <>
      (cherry picked from commit 80cd795630d6526ba729a089a435bf74a57af927)
    • Todd Kjos's avatar
      binder: fix null deref of proc->context · 91596232
      Todd Kjos authored
      The binder driver makes the assumption proc->context pointer is invariant after
      initialization (as documented in the kerneldoc header for struct proc).
      However, in commit f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
      proc->context is set to NULL during binder_deferred_release().
      Another proc was in the middle of setting up a transaction to the dying
      process and crashed on a NULL pointer deref on "context" which is a local
      set to &proc->context:
          new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
      Here's the stack:
      [ 5237.855435] Call trace:
      [ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
      [ 5237.855446] binder_inc_ref_for_node+0x140/0x280
      [ 5237.855451] binder_translate_binder+0x1d0/0x388
      [ 5237.855456] binder_transaction+0x2228/0x3730
      [ 5237.855461] binder_thread_write+0x640/0x25bc
      [ 5237.855466] binder_ioctl_write_read+0xb0/0x464
      [ 5237.855471] binder_ioctl+0x30c/0x96c
      [ 5237.855477] do_vfs_ioctl+0x3e0/0x700
      [ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
      [ 5237.855488] el0_svc_common+0xb4/0x194
      [ 5237.855493] el0_svc_handler+0x74/0x98
      [ 5237.855497] el0_svc+0x8/0xc
      The fix is to move the kfree of the binder_device to binder_free_proc()
      so the binder_device is freed when we know there are no references
      remaining on the binder_proc.
      Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
      Acked-by: default avatarChristian Brauner <>
      Signed-off-by: default avatarTodd Kjos <>
      Cc: stable <>
      Signed-off-by: default avatarGreg Kroah-Hartman <>
      (cherry picked from commit d35d3660e065b69fdb8bf512f3d899f350afce52)
  2. 31 Jul, 2021 36 commits