From nobody Thu Nov 28 22:39:20 2024 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9567B1B011E for ; Thu, 26 Sep 2024 23:36:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393804; cv=none; b=RDrd0YoxP2sVXC90uxzeHQo0cYklnP+GrAkXkLicke+46fg9i7YLHWlqGimsXd1IFZ9j5+c6hpA0gbaN9drQ5o2HOt5WlU7oVvxTcUCQ9Av05ZdpRil3j6IHFG4WbqlHRdEPsDuv/tVbX2+utLrf8+Y+woRGwYAEvZ8QfXWwJq4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393804; c=relaxed/simple; bh=auRMKL1VHLPn5sEdsai0MKgq314tffwblT0/P66foLE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=bfm2PQlDvEZAC6xax6kOeSaRwcf3aSOIwKyALFDhf2b/iWuk5yocLWS60XuM5cLNHoWuDjgRye107ED60+MCcbH1Cc6qaMdDjDPgdzCS/7zcZ1Xlm/cKBCItja9uBLMkD0sgHY13DK7zYbMKeyW1XXnOI4WNb15EsmW48H77zFY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UjKmqrtv; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UjKmqrtv" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-2e0853aafceso1869868a91.1 for ; Thu, 26 Sep 2024 16:36:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393802; x=1727998602; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=T6NRiF2jzOTlmTLkf7ByKoCRNQ6oQZl+i/6FjfYR9L0=; b=UjKmqrtvihgYWXBhNwq111kAy1lP8WUSQ71t+KAnIgi4qxRdKLRwvEHv9rprckR4bl fJRNTh80+bmh+IzJxX8jwrPwSNJC77XmYRiUZuXNpk36Xa9TCPKm7A63GusK6dhAeO+L 4sb6gGSZUIDlVAPYqaMGflARZUKQSR1xHjwhdOtHRAn7h0XQlTZ4JxlyvJIQZOr8eZCc mhpbkIYa7WMS0JJZxLqbz/Rd+gdPOfj/2sCcTM6I9YzHWZ3CjGZCIn5yTBcI7zfr2t2C aYkoKCx9LYlPUf3hZP9D6jtq75eINW2Ycujkc6GXFAZsy9w+y5fZonRxOjNrcUEmjmbU GA0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393802; x=1727998602; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T6NRiF2jzOTlmTLkf7ByKoCRNQ6oQZl+i/6FjfYR9L0=; b=gMN30nJTgO7dYb1IQjlNc6v00w/9izPqdx6THT1zybKTsy0J43wpQhw2a6d+djA8PX /yiMWovvPeOCWUHDmZU4V8WWTj2M4Rv0ssTHvpodxlmh3oGntAfY9b3eMC5MnL4Ah+Xm BMUS1R1Z2MpIUT8mcE89HQty0Te0tLxznsIhNkoYnLcBMTgbszVF/Tlwfj2Rce+MsiIm syzrfG0nfahR8eigIgkCYUVZalo8FELEqB8UCwBkWPANVwzOnAkBZqt1xeP3QZNFYFmS f/HoTOq+lXusChpAcCsJ2nt+KOBUeGVpz1ra04xZuQM4haR2dngq52o3cjnbOYwYbo+q cbaQ== X-Gm-Message-State: AOJu0YzNuMD3T6qc+p5nv/nugrF449iIqRB7A4vTlgKOf1HG2UWPEU+/ Tj/i0+yjJRGlm0JbzEh4fsfHXSdA9+LCK7s6EBoCF6z763H4es73bMs9kgsFzaK4lPTWRdRmXuf X4X0UFNezIw== X-Google-Smtp-Source: AGHT+IFihG4ru2+qA62xmp+Q9HYnVhUZSB5tUQoaGcqfi/yvOJNOAZkdrn4uF1RoIXFBnpcn8PoMYI7uHJeYrg== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a17:90a:c211:b0:2d8:b6bc:e5fa with SMTP id 98e67ed59e1d1-2e0b8ed126bmr6261a91.3.1727393801170; Thu, 26 Sep 2024 16:36:41 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:12 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-2-cmllamas@google.com> Subject: [PATCH v2 1/8] binder: fix node UAF in binder_add_freeze_work() From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org, Todd Kjos Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped in order to acquire the node->lock first (lock nesting order). This can race with binder_node_release() and trigger a use-after-free: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff53c04c29dd04 by task freeze/640 CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d4= 5 #17 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_add_freeze_work+0x148/0x478 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 Allocated by task 637: __kmalloc_cache_noprof+0x12c/0x27c binder_new_node+0x50/0x700 binder_transaction+0x35ac/0x6f74 binder_thread_write+0xfb8/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 Freed by task 637: kfree+0xf0/0x330 binder_thread_read+0x1e88/0x3a68 binder_ioctl+0x16d8/0x25ac __arm64_sys_ioctl+0x124/0x190 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fix the race by taking a temporary reference on the node before releasing the proc->inner lock. This ensures the node remains alive while in use. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Reviewed-by: Alice Ryhl Acked-by: Todd Kjos Signed-off-by: Carlos Llamas --- drivers/android/binder.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 978740537a1a..4d90203ea048 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5552,6 +5552,7 @@ static bool binder_txns_pending_ilocked(struct binder= _proc *proc) =20 static void binder_add_freeze_work(struct binder_proc *proc, bool is_froze= n) { + struct binder_node *prev =3D NULL; struct rb_node *n; struct binder_ref *ref; =20 @@ -5560,7 +5561,10 @@ static void binder_add_freeze_work(struct binder_pro= c *proc, bool is_frozen) struct binder_node *node; =20 node =3D rb_entry(n, struct binder_node, rb_node); + binder_inc_node_tmpref_ilocked(node); binder_inner_proc_unlock(proc); + if (prev) + binder_put_node(prev); binder_node_lock(node); hlist_for_each_entry(ref, &node->refs, node_entry) { /* @@ -5586,10 +5590,13 @@ static void binder_add_freeze_work(struct binder_pr= oc *proc, bool is_frozen) } binder_inner_proc_unlock(ref->proc); } + prev =3D node; binder_node_unlock(node); binder_inner_proc_lock(proc); } binder_inner_proc_unlock(proc); + if (prev) + binder_put_node(prev); } =20 static int binder_ioctl_freeze(struct binder_freeze_info *info, --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10EFB1B07D7 for ; Thu, 26 Sep 2024 23:36:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393806; cv=none; b=eWiVSIr02yzb0RGVEdrdR7z7m0+C1RS6O2LftyFIX80sCzH3ITebB0DNxa5uMI6W8YPoWp7mcTz23JZUN6p4yc2JHze0o0nx89SgpFx9hnB64fj/tNv7yVNEXx4Xgrb3LmoAj2bYvSPearfJeLbmEmv/vYpSXTsghO+OCh+/Hpw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393806; c=relaxed/simple; bh=7FyUqJVHhQqpZW0CqMpH9Qq1tVINFN2+YcmflhlTmno=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=daHWzulIwnC0i9hke9IzqrbQewI26AHxuypcWdtHMiGwbnppT4NzvZBBkUKG3fl3NkWN6PDdzaLU0VtpoKDmsaeCdMijX+ZSRNotQn+lAggxzjvP8bq8x1nKR01A0zQFhI0ap5npWv5CBSa+C41TbpcYOCvh8f4rs2/xFqw1a8k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=aUL+hnIr; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="aUL+hnIr" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6e2317d1cb7so23759007b3.3 for ; Thu, 26 Sep 2024 16:36:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393804; x=1727998604; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=UJEBs7A1+JGk0JKuqMbaxRVWJzcNV2YxZn6IZoz3lzk=; b=aUL+hnIrFQVHEvDA/MeshsreT321qdbS0p+t/NEMbTCX3M/dxYq8kx5BbCHiV+Zirj uwr3o78MgIwbf+VbfinCoNF9VN3HK1mbxyv180X02teu/7LEdX2TNeViMsqO/Tal1zw0 hA8nJmvjnUq+y48/jaoPOnxSSRO0X4c4w1aY8k2nr2y8tHFa5lXnIGh0Lj+HrYaRRxd9 IGY3MNNVli6ZU4SIZ1mzthf7HLFCTYOQyAQA2R5+gVRODEyEU1K9IwtEuJn0Lan7glGx Kt2i9Q8dYdHKQ6HiyySBLCKcp7sdnMjPRLcmzchM5dCqv1OCjquXgciesXDDMqgXKTfH GOUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393804; x=1727998604; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=UJEBs7A1+JGk0JKuqMbaxRVWJzcNV2YxZn6IZoz3lzk=; b=YvSuuhPrSJrL483Vf2JsfePsVZFzGUB3qXPBb5ocTiSjCVl8+I2siXg7TC3CujZORL HybSu3K/aiQ6oTN7TrEmmGnRVlMa4eclJugNvNh07DNdP6AMB9CN0EJYuvfjR4NDT7+h HJwCvqsPT6XaxY3rSY6mgP+UGgjQKx2wwXhcHJQ1WJznRC/okk0QBvyTxQpDri0x0yVz KOMtZARKzrc+8ZHlT95vlJdkLr0cuGvDUaxnVUI+gllqkK1cvHnTkF5DYw2oFskG3oMj hstXK8WH/QuTxGf5LnP4yz5g0Xw7KSwQT7j+Pui1do5tAe66Pq0qWD7xlZm5Ql7Z1mXz SrBw== X-Gm-Message-State: AOJu0Yw3ENvEb4D8nMKpNXpeLXoU/9PAj0sAqyjy6a1aRd57sa6A3T7c NP9eNdyUJWm5M41xC/N4jJ9mZ4bpsZ0pF/09Hs9WSpBedESirj8wydQUgTOOHkoeR819+UfU9PU mguBeuF/g+g== X-Google-Smtp-Source: AGHT+IFsraml/P/gNT7SI20gRH7oG97Mja+iK2QbTY5JPt6BRHSPbRGhh5M8KkbOrPJYtkeleDtBe004VqcSWw== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a25:884:0:b0:e11:584c:76e2 with SMTP id 3f1490d57ef6-e2604b1a4d8mr1146276.2.1727393804070; Thu, 26 Sep 2024 16:36:44 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:13 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-3-cmllamas@google.com> Subject: [PATCH v2 2/8] binder: fix OOB in binder_add_freeze_work() From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org, Todd Kjos Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d4= 5 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Reviewed-by: Alice Ryhl Acked-by: Todd Kjos Signed-off-by: Carlos Llamas --- drivers/android/binder.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 4d90203ea048..8bca2de6fa24 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5593,6 +5593,8 @@ static void binder_add_freeze_work(struct binder_proc= *proc, bool is_frozen) prev =3D node; binder_node_unlock(node); binder_inner_proc_lock(proc); + if (proc->is_dead) + break; } binder_inner_proc_unlock(proc); if (prev) --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CB071B1416 for ; Thu, 26 Sep 2024 23:36:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393808; cv=none; b=ois6i+A8c8FePZjelH+225ds1sAAShBlZMF6N/E9sQI8yQ3gY6NG5wV4oCGtKUlEDPGz21NzzXtganMl0480sXl4KLvCPtrqJSLuDamaC/jRltOupnZR9gNsKjTU7RUiAAimbW/N8psCNt5ejA7x47x5Dvz4DOR/9OQPOa3JTIs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393808; c=relaxed/simple; bh=1H/W4FLKV9aI+2tDXe+blK4klm2uA7NNGPRe8emZgy0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=C11YKI7R/rVOV15wS3ISsM5ZROzlsyTucs/DHxFPNhkcoQZ3zpIWN/ZQJByywXGsdl4gcQ6aLuOie15OSSjKaQHGT51RHPrNJuUSfTXEvUgQKUUk57pqRS7IeNL4LCLTvcakI8zihau+DTw8XVxGcyJg9S6lX9J3pDiNbGzGFfY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=rUROLiVC; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="rUROLiVC" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6e20e4e55bbso30011627b3.0 for ; Thu, 26 Sep 2024 16:36:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393806; x=1727998606; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=sZYDbwRcuTEgG5PxF68wd0LIkZGSaWChtDEKjs+v4lg=; b=rUROLiVCaZ/6WEcM5f4a0xoWS+ZKRfTIqSgmUfCa1NkZ1IHFi5e5q6w6sZYfXJyGJu axMKLhQEVkGiW+op9ptspVb9MvG+QuFZ3Zj5zW8JKl5KvHOA/lnHC52mfNTxnxDL6PZK sSR+iKhvy59NEXdM7NhBCYZnhOOToFV1vc7iechJN07fFMZaL8qsddanQ4NnIf8MzLc1 ts2YxWo37bpRhMESiIeQYuYWMJNHNd9mAb9G/kg5wMYnFiIB0wqH380mpE9Go58OszpM BQMqnsMpFG5ZCigfncqGsNE+PuJQhI5C9eeQne3dPF4DGhWOQJZ6nJv6y9xOmb9fRPm8 bc4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393806; x=1727998606; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sZYDbwRcuTEgG5PxF68wd0LIkZGSaWChtDEKjs+v4lg=; b=Ai5FwyRXzvq2sxzvcCnXS9DWQjL/us7R1rpflhgd6n8g+qBJbUEgPyj11HuGe+tZJk hfIutH/iXmUszbNqb5uld4iAJyih00/9PoxBJK22LbkZyufxKURPrIb4qZLyn3akZWNu 6l+vOVxhMcm9eeS8nxd9tjO1FFoihWOPA6nVIbyQaEzEEvJB7rnMTg1PvzPAdE9yELnt WZRjY8qN8LJb9xlDUslxtQv+YWEWsFuNY1kxMcW9zx7PRlFqcAOkUElmfQLajIdhTPlV U49H1kxHV3hmz0mU4dvqsohTEedJvt6+V3/Jg9eAW+HbT8BA3BC0srR4Y4T+GcWnQ5kd m50g== X-Gm-Message-State: AOJu0YzyStzSyQyDK/IA2/DFSwP0AEmrSG+hXfXNWMhm0dJU8OD2vtg3 Cn9hYlT41z5EZHzVuU4ocbJ2KEsjvR0TwzR9636P4ksHAIqKEV70UxETmGUO1O4FyavxGMvvI5Z faVoHI90i9g== X-Google-Smtp-Source: AGHT+IHUpbO3q7cBnv/gB0yirdup4+Tvvd6hv38/XsV96lDFMNN7F3BazQBkKmhQNTboRcKZJDjYAhbtpSu3lQ== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a05:690c:3005:b0:6e2:120b:be57 with SMTP id 00721157ae682-6e247604e65mr151807b3.5.1727393806468; Thu, 26 Sep 2024 16:36:46 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:14 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-4-cmllamas@google.com> Subject: [PATCH v2 3/8] binder: fix freeze UAF in binder_release_work() From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211 CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc= 6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254 Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Acked-by: Todd Kjos Reviewed-by: Alice Ryhl Signed-off-by: Carlos Llamas --- drivers/android/binder.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 8bca2de6fa24..d955135ee37a 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1225,6 +1225,12 @@ static void binder_cleanup_ref_olocked(struct binder= _ref *ref) binder_dequeue_work(ref->proc, &ref->death->work); binder_stats_deleted(BINDER_STAT_DEATH); } + + if (ref->freeze) { + binder_dequeue_work(ref->proc, &ref->freeze->work); + binder_stats_deleted(BINDER_STAT_FREEZE); + } + binder_stats_deleted(BINDER_STAT_REF); } =20 --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E865B1B07A7 for ; Thu, 26 Sep 2024 23:36:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393811; cv=none; b=qIWuAkhZ/MqtxjMZSlIqNybR9POimKpb6OjRx6x0ZNE0jk3FvOhL6+EmXzd7/W0sdJyzNm0sOlOIorHlbReqRLYh00d57qZE3xbgPdf+hwaYbzkLfCy4oabVvI/Dzfs79LAXYcSuZe/0ULZ9YpSZZ4x7798RHPkfq9uSPrrDZPE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393811; c=relaxed/simple; bh=3vyvMvkO3Wyq1P4R+cw5CeJ/ZKfVE2YqNvhB7LdkgvE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=u9yqbQhrvqyCaNFF/GrUZk5clI0xBv9fhSUlSKRNbyff82Ova9iS2ugDBHiH8hWj+CJCqLExt8hIQn4WHM4/GONGvqScI8/Mu/RkCJ4cp2ANnUSfv/yPIDFex3WKKtrNrx2AdaCFB5BKlEMWLeLIvnB24OnXPuyH8+O/hpJKtfc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=VQ8vUqUZ; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="VQ8vUqUZ" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e25d494faa4so1113277276.0 for ; Thu, 26 Sep 2024 16:36:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393809; x=1727998609; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=/iuxb3h278Dc+JtJQ9VvOQ0vkunN058i5/6AjQ3E3ks=; b=VQ8vUqUZrMX6k/MD35HdssE1ItwSF4rmvDPBiJ9NErWiaQctAKZ2SLNhmGDzI7lc0p AAfeGpTYw6evxroj7TpjwrfxqIOcxpQdD1MoNKGSy0Xg8aUsyzPJscIzokfiltcnwHyJ +PVTdF7TS1rI3Y0ms+ixIKuWqWq1tj5geKxpT8FY6xz9VIdwXAWeZV03sxE6vIq0pJYF P0yfpnvvsrcdKY+x0FzeFqkKM/u3NAUlE+QCdtffH/VOPEkIrgEeEk6NzyHRw+dcRdR2 5SbatdeEtawerISrRTBjqjzOYmfBQYV76hjaagKJ1hvVAOOFMslCDRk6IrTNvifpJ4Hg gyxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393809; x=1727998609; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/iuxb3h278Dc+JtJQ9VvOQ0vkunN058i5/6AjQ3E3ks=; b=QHVRDkyypBdy1xLTrt+jPHucyjKRMU+sB0rUZRLCO/G0ClQ0yWenL8gWBccpFAnHuG VaCp+bfYWYDd/HocUJe/9NB0Wb5g+Ub2kyJNvwCpBjIsQo/Qzc3nAps9WEx0qWFPPRWE h3kedGPEznhufdFDt7IASx4wy37QztYzz4LC5+zKI5YDSN7q68zsZ2IzTxPtcOzdjf1Y 2c0Ddmxx0ZLFe96J7IYvWM4GeeuY+G9YamxlUPfz2FVtBc+9dc059qYyMQdhYtGY/np0 d8ayR38W2HCkkEGWD1aQQxhzU69BOweRWM5RdL1lyKhkZDVQrQBk7esek4J42lyL23m3 H1bQ== X-Gm-Message-State: AOJu0YzZMp3r+b+RPk3NgNt+DGI6YFuVkx3F4W6uFSEq24tGTmq4QgOg OTqaLqat5SfzNdt1L700CMxUDhKzxR1WDlPwDaQXnu9SdqHBtasjYAGG5Z0jiri6weoWlR8GkBz 1IcHm+MRzjA== X-Google-Smtp-Source: AGHT+IHBVAPawG1xZ8PVs7gjULOKJDTEQX7j5JE8yqCAQXtSxFo6puwM71uXOnRfMu8FHut5bqq89unj6w+mvA== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a25:e906:0:b0:e25:e391:5739 with SMTP id 3f1490d57ef6-e260495ec2amr1466276.0.1727393808817; Thu, 26 Sep 2024 16:36:48 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:15 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-5-cmllamas@google.com> Subject: [PATCH v2 4/8] binder: fix BINDER_WORK_FROZEN_BINDER debug logs From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org, Todd Kjos Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs entries and it shows up as "unknown work" when logged: proc 649 context binder-test thread 649: l 00 need_return 0 tr 0 ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3 unknown work: type 10 This patch add the freeze work type and is now logged as such: proc 637 context binder-test thread 637: l 00 need_return 0 tr 0 ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6 has frozen binder Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Acked-by: Todd Kjos Signed-off-by: Carlos Llamas Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d955135ee37a..2be9f3559ed7 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -6408,6 +6408,9 @@ static void print_binder_work_ilocked(struct seq_file= *m, case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: seq_printf(m, "%shas cleared death notification\n", prefix); break; + case BINDER_WORK_FROZEN_BINDER: + seq_printf(m, "%shas frozen binder\n", prefix); + break; default: seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); break; --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31FA41B14EE for ; Thu, 26 Sep 2024 23:36:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393813; cv=none; b=i9jF4D7/A2SeL/J+wpyEOs3kVM0RfEa/6vzNn6p/UHhXQlnLFWSpVpm6GMJPlr7s/VYwvLIoTHDqIIeTkOBiQMoIbQdViRiNXEfJn1lud+A+kibQbBSmaB1gRpMJ/j5OU40F7uZ4cwOatBhXXd5JIi7XFD07UX8krw8kB2MC8kw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393813; c=relaxed/simple; bh=f7VrQlEy1/WaHjI6BjRrvKo4WMJTCtdwmzr0sL5N1Rg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=r0G6yPFhm5H1o6Wj6rD9Zbq6/osV39xnQu3JMq8ROBxsygWMSzN5SgVh2DFtNKFzByj0A84u7mq8WxyudgtXwWU2f2ERebLKJkccI19CvzUytTM41ruLpnNhJjonAbQuh5lSo8NZt3TuTtU0ToSeJjqqWH2iDeEKqWvgwuWe87E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TAia3TOJ; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TAia3TOJ" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-718d6428b8bso1786450b3a.3 for ; Thu, 26 Sep 2024 16:36:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393811; x=1727998611; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=QFVmoAK5zkzr/xbof5li/DUKAdhKAj2qM3wGvCeB8ZU=; b=TAia3TOJ49KoW9vIiTpis2EF6bfUY/dMv75JdCQfEmYJJgW5qqfXqZiYguwSk8P++J tOHODFTahGwmH+Pfsapsb43OCmcZyh9/ZgIxOKOnxESLUGcjpZkcvlKLhB1anu8OxL+g lSU1xCAbHvEWK+qBe4S95TLV5soup8t2KtyEU07kY+e68OcO3O1+hCz/XrrIxlRgi7Rf k71EQxEGxEt2/4xSBbGX+yttMpPL0IP0vNp7sVmxNsio3YLaDcYlBrAMwFoghcYv2Sk1 7dMWP2l8XHpkqmgA1bZDyvK4U1zuwvvbcvMATEMw25Dd32oNyWKxF3JNVjhko5M/JE2E PWvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393811; x=1727998611; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QFVmoAK5zkzr/xbof5li/DUKAdhKAj2qM3wGvCeB8ZU=; b=cSd4deG3dePPcSQw709yPL4xwuHbEXURgQiQLyFRRO2miS6UC/K3/hyOe3MdoCBEcH jplWCCealoteCgZEf6dyqw4HWrmSoo2KpDASjItX1p/L6qFpL6TKHam+itS9Y5zuBCuZ WvJ5i60rrlgSKprip64lnoVssYWBbPStBYUf5/Y8dcimOUMnnqpV8mqCTB6fbxAj3mMq BGunCYtfGonr2gNwNihEXeWeFrT1BArufCPHhp6UdC3xrZoz1R+7GNMLWLGgnZT6JeF5 Mup9+kOxzR77ps2LZay/6BeoM4GFiv3mt+JPnxYlvPGxjawCIHpMRA/8s57AeMW9OPt3 bAPA== X-Gm-Message-State: AOJu0Yyo79n8eNC4XpJJB7GsP3ZbY22WSaExNCZMUhE37bytoG9dFOvp SSReHXwmcl4uPrzM0aaFvCDM/lEFD99yFLxJEPA4IoQhlY6oD84je32PhCsOG0CxRC+60TpsVhv xKakL8WpD3w== X-Google-Smtp-Source: AGHT+IHR4NDuIyolClnhqV4eBCiL0uf4qWgFX5/vNZoyo2P0n9bLX/vfJHlrGVUOnRlD1+dFJDpZhJOIoJ5T+A== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a05:6a00:b01b:b0:710:4d46:1760 with SMTP id d2e1a72fcca58-71b260ae1d0mr3452b3a.3.1727393811222; Thu, 26 Sep 2024 16:36:51 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:16 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-6-cmllamas@google.com> Subject: [PATCH v2 5/8] binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" proc 699 context binder-test thread 699: l 00 need_return 0 tr 0 ref 25: desc 1 node 20 s 1 w 0 d 00000000c03e09a3 unknown work: type 11 proc 640 context binder-test thread 640: l 00 need_return 0 tr 0 ref 8: desc 1 node 3 s 1 w 0 d 000000002bb493e1 has cleared freeze notification Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Suggested-by: Alice Ryhl Signed-off-by: Carlos Llamas Acked-by: Todd Kjos Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 2be9f3559ed7..73dc6cbc1681 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -6411,6 +6411,9 @@ static void print_binder_work_ilocked(struct seq_file= *m, case BINDER_WORK_FROZEN_BINDER: seq_printf(m, "%shas frozen binder\n", prefix); break; + case BINDER_WORK_CLEAR_FREEZE_NOTIFICATION: + seq_printf(m, "%shas cleared freeze notification\n", prefix); + break; default: seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); break; --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CEC7F1B07C7 for ; Thu, 26 Sep 2024 23:36:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393816; cv=none; b=IhghtnDJ+QvwPHtgjvdIaC4KXunBH+C15LYunnqmAPYMOcYsk3q4PHnqybf8YVZBcg2WDbWQ4w6QA2Ai+1c+cnFdahDOAMZdNFzI9LMiHzBbvKhBGaxywRT82wyJ7oQh4YT213/WvK4FWhT++8vrR+OE3RTraNA1ZwVTkfjOlbo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393816; c=relaxed/simple; bh=ae5tTSVI1o+B0gCRfKTrz5iX28d2to5YMLSbIYZCEPw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=dEYs/PQ/DZstiPT36NCbecCTKc2Fllubxup+BWc+9snc0kQBD019D6yyYZTOG6mUEYnf6TzEI8BxrXilHEH6SbGR/NuDmz5yX/+KYiv9fzsmo9trB4Br9AhNgrKBY2/V27zrsTulySYK1dnOepjxauQl2k1o1CEuNIY6Q31NGH8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=D0BRapTp; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="D0BRapTp" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2078e8b1458so16656125ad.0 for ; Thu, 26 Sep 2024 16:36:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393814; x=1727998614; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=QhifSB/hHpukB8XTWcNXtGxQM9EjwaxZkFwn+v4ygvg=; b=D0BRapTp268kBCwO17A5hxMMWNJyXB/W7DPhD+Epz7uBRPMPwkG7v1GFU7Jis1oqdv ml+9v+9LdAp+fT9QSYno7OZj8VMNdjsd5SVSagm7aw+4Jhu10cKOIEAmj++hNBO7WagB aualwKnTSoLu3iocjBKwBcShVdf0xhEUm+ZTJwV3UEsqrU6T+jUoocH3pR6rCX7AGsOj al3hoIepio3hZlmfG3V+1dCrSbHFY560WYe4FJGqTaCOu/yhoqDR41SlWtB7HQ6dzysH XBuC3HU3SXCZD+54ClQhJzlXx01h8J6WNJu6zdtmmHiatJQNwAXUteRfp+N5PA8OwJjy crug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393814; x=1727998614; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QhifSB/hHpukB8XTWcNXtGxQM9EjwaxZkFwn+v4ygvg=; b=YrxAazfRfs/2nGltzZzgAuZbOyxOQHh3sZKX38Q4iJPTb/8+lt6llrNkqUQwDhJvp4 xpxuLAFKRpWMsmR4dtt6Jdzm6SThemIIjAZoLKD3PmjnXuXZPqfG9JqR43QWxA6DM39N /OqLfZvIF7WbFbekkzoITDjgJLpcJnFlZBims37ZGbMgQkUuyzjMn/+kl1WdKRGCq50q /1ehohu4psXfHnblVlwtUnAh5j8Y8NxneUGz3Mqx1u5eU1kjP1IikI36/zeUx8a5cKNT iVRSCiLKH1+I937TiD5aT5FBZw5VFUXEAbzpyVEjvKRp4Jpsr/RcI0ACmRFJOVG9DJ7x LLGw== X-Gm-Message-State: AOJu0YyiEJhGiSxmh6IUOlimBh82ji2ucCb7F8vPR27wcbqCDde0NsVe GztTqjtq3sN4uMnAlK3DXuhIyQaoQVwztpwb3Io1TVNRvf/cTxxClkNHV3vaYfi5dMBBwKW7oBi +MwbjBLm4PQ== X-Google-Smtp-Source: AGHT+IGMSmcCdezkWQqFnhS5J93mwv5qL82nJp4ZmV6uOtM7S8fzgPqEPRAjYDsO1Bar2n2ZoLLnn96gSc75qA== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a17:902:d4cf:b0:207:4734:2cb7 with SMTP id d9443c01a7336-20b367e701amr149175ad.4.1727393813724; Thu, 26 Sep 2024 16:36:53 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:17 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-7-cmllamas@google.com> Subject: [PATCH v2 6/8] binder: allow freeze notification for dead nodes From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Alice points out that binder_request_freeze_notification() should not return EINVAL when the relevant node is dead [1]. The node can die at any point even if the user input is valid. Instead, allow the request to be allocated but skip the initial notification for dead nodes. This avoids propagating unnecessary errors back to userspace. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Suggested-by: Alice Ryhl Link: https://lore.kernel.org/all/CAH5fLghapZJ4PbbkC8V5A6Zay-_sgTzwVpwqk6RW= WUNKKyJC_Q@mail.gmail.com/ [1] Signed-off-by: Carlos Llamas Acked-by: Todd Kjos --- drivers/android/binder.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 73dc6cbc1681..415fc9759249 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3856,7 +3856,6 @@ binder_request_freeze_notification(struct binder_proc= *proc, { struct binder_ref_freeze *freeze; struct binder_ref *ref; - bool is_frozen; =20 freeze =3D kzalloc(sizeof(*freeze), GFP_KERNEL); if (!freeze) @@ -3872,32 +3871,31 @@ binder_request_freeze_notification(struct binder_pr= oc *proc, } =20 binder_node_lock(ref->node); - - if (ref->freeze || !ref->node->proc) { - binder_user_error("%d:%d invalid BC_REQUEST_FREEZE_NOTIFICATION %s\n", - proc->pid, thread->pid, - ref->freeze ? "already set" : "dead node"); + if (ref->freeze) { + binder_user_error("%d:%d BC_REQUEST_FREEZE_NOTIFICATION already set\n", + proc->pid, thread->pid); binder_node_unlock(ref->node); binder_proc_unlock(proc); kfree(freeze); return -EINVAL; } - binder_inner_proc_lock(ref->node->proc); - is_frozen =3D ref->node->proc->is_frozen; - binder_inner_proc_unlock(ref->node->proc); =20 binder_stats_created(BINDER_STAT_FREEZE); INIT_LIST_HEAD(&freeze->work.entry); freeze->cookie =3D handle_cookie->cookie; freeze->work.type =3D BINDER_WORK_FROZEN_BINDER; - freeze->is_frozen =3D is_frozen; - ref->freeze =3D freeze; =20 - binder_inner_proc_lock(proc); - binder_enqueue_work_ilocked(&ref->freeze->work, &proc->todo); - binder_wakeup_proc_ilocked(proc); - binder_inner_proc_unlock(proc); + if (ref->node->proc) { + binder_inner_proc_lock(ref->node->proc); + freeze->is_frozen =3D ref->node->proc->is_frozen; + binder_inner_proc_unlock(ref->node->proc); + + binder_inner_proc_lock(proc); + binder_enqueue_work_ilocked(&freeze->work, &proc->todo); + binder_wakeup_proc_ilocked(proc); + binder_inner_proc_unlock(proc); + } =20 binder_node_unlock(ref->node); binder_proc_unlock(proc); --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE04F1B1D48 for ; Thu, 26 Sep 2024 23:36:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393819; cv=none; b=EnURGONIP40M/OM56OJA9xE8SDjqlOVvErxN/DF9PHrqqIZ0vRYrSv4e5adV2SPylFZMx9k8xPzVJzQonGIWqKa1uBN3wfvW0fpn4PyqD7YNDGVLZIG8pPM1Qnhfb18r44NkZi8KaWLRPE4HatwV9Srb58W+6QVjzsUACm+x4MA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393819; c=relaxed/simple; bh=EK1jt0N1ISBUiSzxxb/b63Lp+lEQ5URD6w3YPi8ETT0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=UTrTJhMFaRdAxuyWxdQhIesEF1MLOtZSPddSLEenJ4SAadq1mcx5fEB895Z7L22UteUoRHsNSqnTtEf95Fc56oJyKaZdPPIdootB3g8tfAblcb6xOAaRPisZ5cDwbhzcCITyP6fwtSYSZ18GWuxXkfKZt3ZFb8t353hKAGn+YjE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=whs6EGrU; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="whs6EGrU" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2070daaf8f1so15135125ad.2 for ; Thu, 26 Sep 2024 16:36:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393817; x=1727998617; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=HNhAhWvm1MisOKIZYtkplxC3gTJbPu471ll8TGSkhoo=; b=whs6EGrUKLZHNqOZClE4KAWBaozeSR7USpHLGLP1zQfTC0iY6PACyBwii1BJ/MSI0o XHQvSx7+JPcQ3cj7UVRj1pWPx5WidtvGVRwjb8823a5u9D3gMykAFhJIVfwfnPBMHi/6 Pm3FtjDQ/MeT728vT+RtdKpBMBXnkPa+omOunObWLXOdh5oT8UEDJCFiyJlHfgTJ1vC1 /Ony9TT9/eKhlfEG9xZ5fCfDvE5Kh+g4zK0oBkUkTgtlv9Ugo/2sIYy43nxq7S/Y/K4k j5SxLqOpV5NDHsI4F6tnJcAd15eClX1L/nL1OkhvLKZj/NDzQhUzsfebBTL5eL5Y2VEw 7hiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393817; x=1727998617; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HNhAhWvm1MisOKIZYtkplxC3gTJbPu471ll8TGSkhoo=; b=UXfNVD3NcwVkDHpXKwbN6vpZftUemwrlGbWtOlcKYEtcDA0Y9HvUtGOcNODcBRPEE6 sxduAm2DCvVLwlY/MoImQpoH9ntxCpUZYKB5xnZ+6rPo7f113iUk4eLzjqXxSKHtHjaa XtM959DdBYyv5BNEjWYP4XVCw/dyeoc17mg3taKvyowGafYg0aVtncGp+wm/YTgJzWw+ gvw/q4DA2xfKN3oNya9TQDM9kJCHeQ7Tw4wvpWd5THzQkroWT8fcDrfbJJXeIObDZw7T K5Hu8orAv9kiLH8qHd7QAQIdcVYlKAvoNFekZZyStqO/fQWvH6HEmtJ8LaL76yEjFfhU e3BQ== X-Gm-Message-State: AOJu0YwWyBZJfF+r9Ld6KZurKgh8iCTMrASoFDQFaB11Zg6mYMioYxk6 OcXW/NO1rdf0xQRsW4PvvMHhlleXoxnZdPpvMCayfrlCqIDUj8FXFjwxUNzMfDRdIYawse8BrGk 0K26QTPl9AA== X-Google-Smtp-Source: AGHT+IHogi2NYhlB88Zx5YMI9IkUgPts/VYD2XkJfldtiwLdPBf7GTsk4ODNwXYWR/Ftc+YN37qKN8VHqQuc5w== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a17:902:fd05:b0:205:656a:efe8 with SMTP id d9443c01a7336-20b37b618b7mr80015ad.8.1727393816360; Thu, 26 Sep 2024 16:36:56 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:18 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-8-cmllamas@google.com> Subject: [PATCH v2 7/8] binder: fix memleak of proc->delivered_freeze From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION before calling binder_freeze_notification_done(), then it is detached from its reference (e.g. ref->freeze) but the work remains queued in proc->delivered_freeze. This leads to a memory leak when the process exits as any pending entries in proc->delivered_freeze are not freed: unreferenced object 0xffff38e8cfa36180 (size 64): comm "binder-util", pid 655, jiffies 4294936641 hex dump (first 32 bytes): b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8.. 0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K..... backtrace (crc 95983b32): [<000000000d0582cf>] kmemleak_alloc+0x34/0x40 [<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280 [<00000000313b1704>] binder_thread_write+0xdec/0x439c [<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc [<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190 [<00000000b439adee>] invoke_syscall+0x6c/0x254 [<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230 [<0000000084f72311>] do_el0_svc+0x40/0x58 [<000000008b872457>] el0_svc+0x38/0x78 [<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c [<00000000a8ec61bf>] el0t_64_sync+0x190/0x194 This patch fixes the leak by ensuring that any pending entries in proc->delivered_freeze are freed during binder_deferred_release(). Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Acked-by: Todd Kjos Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 415fc9759249..7c09b5e38e32 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5155,6 +5155,16 @@ static void binder_release_work(struct binder_proc *= proc, } break; case BINDER_WORK_NODE: break; + case BINDER_WORK_CLEAR_FREEZE_NOTIFICATION: { + struct binder_ref_freeze *freeze; + + freeze =3D container_of(w, struct binder_ref_freeze, work); + binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, + "undelivered freeze notification, %016llx\n", + (u64)freeze->cookie); + kfree(freeze); + binder_stats_deleted(BINDER_STAT_FREEZE); + } break; default: pr_err("unexpected work type, %d, not freed\n", wtype); @@ -6273,6 +6283,7 @@ static void binder_deferred_release(struct binder_pro= c *proc) =20 binder_release_work(proc, &proc->todo); binder_release_work(proc, &proc->delivered_death); + binder_release_work(proc, &proc->delivered_freeze); =20 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions= %d\n", --=20 2.46.1.824.gd892dcdcdd-goog From nobody Thu Nov 28 22:39:20 2024 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F8211B1D5C for ; Thu, 26 Sep 2024 23:37:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393821; cv=none; b=nPi4hZJkrX5i9m/ec5y32Yc/s+XOGaS64xesVQpnTccypeT4hoHA9kPgp7rQl/aY3HPOqPAfpfFY/0Adxs0l9NRcetSpARQZakqeSHp9BS2/2IzOHdOovKDHxB9VzWtJoWLk4n1AnrY9so7H4Q4uMUbspe7K/vKqxxIRNG1jAPc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727393821; c=relaxed/simple; bh=0wQLZGUBmhpsm/PqIKgF4vhryRNNUmvmm5suV7LfdPQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=t0OCZoMa6xPw4c7UWwPIc17j205jGc9pp3819sA19mLZJHAUr34O40pFXT4GCTJxzV8o78UzUvikbnS8VB1TGQXyDwFY7m/421A9nWv7uqf6Lpe4SNSgCQQ9ZlIW3f1QlmoBARGmI7rSohCZIpxv98x03f/25dGBqIhu1qP27bg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=v+y4tOKd; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="v+y4tOKd" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6e2146737f2so29167227b3.1 for ; Thu, 26 Sep 2024 16:37:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727393819; x=1727998619; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=RfIWbsqxtW/srupdqZRxObhE1OoVW4h9NYCU5IwMPgQ=; b=v+y4tOKdaF3SUrMHGd6o3rLp5EsXosURuPJxpDqmxaa5y1f1VTif/sCjrXMOGiCyWI XXnI9AE7aZQGpPkqvsfq/70aYzDJH+IPrIkeI/g2/BD//I0sPvTu+Ams+Iw6g66cEKmq ELNNbrLcYJ23/x0/RBKqXq3uEZ+Ew550Wqu3WsNxWmmRhmFumq39Y6lw+Uweuu5xlMNp Y3KqNcUMfDYEHCzU9dWpDpeAMQ8F5fjq6J5WD025+Tx8LbijubWXtbEsUQToADagwgAs 8v7KApAG7TdT5SnFOAkMReLL3iGuVU6/SK4P+FqHN12GZ4+pai4kRslx3WBOwuGK8x26 dAIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727393819; x=1727998619; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RfIWbsqxtW/srupdqZRxObhE1OoVW4h9NYCU5IwMPgQ=; b=QxYH2AClVEJ7MhK4WazbxlUpukXliCqemji11Z7VCYb0aHcz/b2oWBaapMVIHKAFks f2iowQHSUpX6deXS1KrYSOEXIJszMk9PWoko60vsPW+yVsHGxsUAjVmwQ6Wu/B6bLaKx ocKuadwJHHKm6q3vLuB3/GPVkQ1I993BH124E4e2IaFEQvead7+q2l/+fU5o2HvqDG3t kImFH5b+36k+IjCnsHJ+wZD2qIuJC91LG1+xWm9HTzsIZPw5C7LGwaZUxgngC76yQbPt tnLz//mHOFQ1qooqhex23NQitjb3KS2stRIt82hm3z620P9Rat+PRJq/gMQHsMQMu7oK 62FQ== X-Gm-Message-State: AOJu0YxVX34Qi6hJgj+bFz3CvNY689o6MM/MRb1lm/UhyZgWs6LP8Hrs yL3rOopreU+P/lxoVhLVPz/ATT8hYc1zhVDL1JETj51I//YsfSD0Eal1w0Bn0uqaQR8oZ8Za5WP FG1zA3yWpQQ== X-Google-Smtp-Source: AGHT+IHqSJVku0EWEj2r5XcqywvzRvQB0jNHyuhNh9+DFeKP39ZT7Op+9wJEbEIowlN2bzx85VbN4A6f+KQP5A== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a05:690c:3708:b0:6db:afa4:75d3 with SMTP id 00721157ae682-6e2475a7f21mr434807b3.3.1727393819526; Thu, 26 Sep 2024 16:36:59 -0700 (PDT) Date: Thu, 26 Sep 2024 23:36:19 +0000 In-Reply-To: <20240926233632.821189-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240926233632.821189-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.1.824.gd892dcdcdd-goog Message-ID: <20240926233632.821189-9-cmllamas@google.com> Subject: [PATCH v2 8/8] binder: add delivered_freeze to debugfs output From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add the pending proc->delivered_freeze work to the debugfs output. This information was omitted in the original implementation of the freeze notification and can be valuable for debugging issues. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Acked-by: Todd Kjos Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 7c09b5e38e32..ef353ca13c35 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -6569,6 +6569,10 @@ static void print_binder_proc(struct seq_file *m, seq_puts(m, " has delivered dead binder\n"); break; } + list_for_each_entry(w, &proc->delivered_freeze, entry) { + seq_puts(m, " has delivered freeze binder\n"); + break; + } binder_inner_proc_unlock(proc); if (!print_all && m->count =3D=3D header_pos) m->count =3D start_pos; --=20 2.46.1.824.gd892dcdcdd-goog