| commit | c0d75dacffb9cf3c0e3812ba0c7607c063cd7e9d | |
| author | Todd Kjos <tkjos@android.com> | |
| Mon, 27 Nov 2017 17:32:33 +0000 (27 09:32 -0800) | ||
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| Sat, 8 Dec 2018 12:05:07 +0000 (8 13:05 +0100) | ||
| tree | d5dd793271489717d56dfb52d997b8c928922762 | treesnapshot (tar.gz zip) |
| parent | 412091e27d295c53582a9b038af1343dd544944c | commitdiff |
binder: fix proc->files use-after-free
commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream.
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to protect proc->files with a mutex to prevent cleanup
while in use.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream.
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to protect proc->files with a mutex to prevent cleanup
while in use.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| drivers/android/binder.c | diffblobblamehistory |