From patchwork Tue Sep 5 17:21:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Todd Kjos X-Patchwork-Id: 111705 Delivered-To: patch@linaro.org Received: by 10.140.94.166 with SMTP id g35csp3122041qge; Tue, 5 Sep 2017 10:22:17 -0700 (PDT) X-Received: by 10.84.241.141 with SMTP id b13mr5277043pll.437.1504632137577; Tue, 05 Sep 2017 10:22:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1504632137; cv=none; d=google.com; s=arc-20160816; b=QBLaNMdgOO0S8/9XXsUn4oLfYMBbuCFasAwfXQ2qd0pkiYGLSaaa+fw8/HdUQ9ZTt9 svCbPlYhWGl0QnDahicFGwPtJXFb7wmHPFW4kIMIBIpmJTjWambB9MnCTgFCv4hedqoq 4B9zSgrvLgq6U/bPfja2dH22wTQUy+BYFkU7Ecf6x2EVak4wTMuzRn/lEKera/Vu06Ob wrZE77Mxv3hyCF5jT7DMh2PPV5ELHHdQ7fEwrscTkHPBWek38KYsC8CjhoBBam4E3f0B cJSPXIM0TUdJ6u7RhIftxYyPrler37tGLNn9KR/Uf5+9ztCgieU+XriEpUE1dWU10Ba9 CDGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:to:from :dkim-signature:arc-authentication-results; bh=0P/OVC0wLLILX/21XAc36NMthFOG1YxLjw4uZjK6zJg=; b=etBrq/eBEV9jbWHLAuTTMmf/7DIisqDN7DucUYuIlQNgwfD1/uPp9G4xcLUINbohQX k261w+7xbJtjvrNMqURd5iO730pcrHn3wqIidvHDlnE79AH0Z/qxvGcj0wlzWahQxPne LDkRR/7QhqOJBG54qK/yiE1bKAxof8gwoL2ROqXrZINqhwB87Se99oGW7mE8yt5YJOSF 3DGrqOt1tF/kmMtg8bqPi24X29ig8rC0DdzWiIihrlamB8NoLqAxfQ6TNcC6fGuE7pkF 3MuobddQS2BKVIGetIxmfbtBZtIpi2iSQA0sir+TEIV3hzdQ2ThlF25Qx4Qlz57tQzzX uOPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=vUPbjvOj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 91si669373ply.118.2017.09.05.10.22.17; Tue, 05 Sep 2017 10:22:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=vUPbjvOj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752852AbdIERWP (ORCPT + 26 others); Tue, 5 Sep 2017 13:22:15 -0400 Received: from mail-pg0-f53.google.com ([74.125.83.53]:35496 "EHLO mail-pg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752792AbdIERWC (ORCPT ); Tue, 5 Sep 2017 13:22:02 -0400 Received: by mail-pg0-f53.google.com with SMTP id 188so7333509pgb.2 for ; Tue, 05 Sep 2017 10:22:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:subject:date:message-id; bh=0P/OVC0wLLILX/21XAc36NMthFOG1YxLjw4uZjK6zJg=; b=vUPbjvOjENaOOMTvBLur/fHqB873FujLOk7N5ruV1GmMD/x6lVc7prulQ7mTUsfeDW i7AAOlGPu/eFZka5EI+vD9HEQa5HsaoyrriaZzDFQys7obvLkwb0tK4alLOVTRhzzQ/u 3LX3nWwF0reyLGGyaoB5zGFdrRUHYkNErZyMDnBfEpeNqNKRy3jbHAuuOzc01BlPsG31 nuaKciuY8pYZWuH8CsaMza6/Z4764ivBDbh4tSiBpggWxOyOfSo8yTELYZZWh968O4m3 suEbqNf+mn56eKk1WKw4xhJBOCLpKWzznvoI252ejRqN6hpa/WI/QMD2YIswZLSrkCRT 9tUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=0P/OVC0wLLILX/21XAc36NMthFOG1YxLjw4uZjK6zJg=; b=qNckt9ds8dst5Q9LK6QT9Bsvg6swqdNSbKqWiupO5Jp1dC/NZNoJOFql9LzTsnnkrF dsX85MYcPCA0Ef/HYK8lQjpFDf+lJ/T16ADZBKlnGPLrGnE9aufqJ9dxlcUZWXWP8Qtr bZWVc40hWgaWkdumfPoFgGwRx6C88r+l75PZDK6Nys51WnmnLoo45+ZSiEzwF7hKE0uO lYfEPwVVG2caqPLvPq5sOyQIQqFIy8XILZ/augZfj4tyQgJ9e6ZPlMi42zioCuAvseTu ri0+oPgdpFwHA+eFVh4XugfpCYkzYmPUjCL1gLsvSitP3LtDvRwGPPoL9IKP3yUpaVeL do9g== X-Gm-Message-State: AHPjjUi9i4EtFotMFRB9yQrLkpzO+bD3aEjUAbTCKsFwz3h9rONwAHX9 garPjNHEwObnHF6r X-Google-Smtp-Source: ADKCNb4haMPuG5mlZlRT05fqDMajaERI23X3WFnRREoKc0XKDowILh11ntowp/7D7Kdj03FoVtSGag== X-Received: by 10.84.240.66 with SMTP id h2mr5234625plt.74.1504632121651; Tue, 05 Sep 2017 10:22:01 -0700 (PDT) Received: from ava-linux.mtv.corp.google.com ([172.22.121.103]) by smtp.googlemail.com with ESMTPSA id q15sm1614899pgc.64.2017.09.05.10.22.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 05 Sep 2017 10:22:00 -0700 (PDT) From: Todd Kjos X-Google-Original-From: Todd Kjos To: gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, tkjos@google.com, xuyiping@hisilicon.com, gengyanping@hisilicon.com, shiwanglai@hisilicon.com Subject: [PATCH] binder: fix memory corruption in binder_transaction binder Date: Tue, 5 Sep 2017 10:21:52 -0700 Message-Id: <20170905172152.36227-1-tkjos@google.com> X-Mailer: git-send-email 2.14.1.581.gf28d330327-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xu YiPing commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe") made a change to enqueue tcomplete to thread->todo before enqueuing the transaction. However, in err_dead_proc_or_thread case, the tcomplete is directly freed, without dequeued. It may cause the thread->todo list to be corrupted. So, dequeue it before freeing. Signed-off-by: Xu YiPing Signed-off-by: Todd Kjos --- drivers/android/binder.c | 1 + 1 file changed, 1 insertion(+) -- 2.14.1.581.gf28d330327-goog diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d055b3f2a207..96cc28afa383 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3083,6 +3083,7 @@ static void binder_transaction(struct binder_proc *proc, err_dead_proc_or_thread: return_error = BR_DEAD_REPLY; return_error_line = __LINE__; + binder_dequeue_work(proc, tcomplete); err_translate_failed: err_bad_object_type: err_bad_offset: