From nobody Sat Feb 7 19:45:09 2026 Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BDE4F2D9ECD for ; Tue, 11 Nov 2025 14:23:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762871027; cv=none; b=BPZphP+AWVK0JH29MFM5yCTbLsl+fH0bFWn9AuYMLR7m0nGKzWE3mEuBU2V15QSGnBGztrT9DNA4l5NujWoA+7Fu1O4oK/BoukouurdPHgbP6dm/OtuVY6T/j6fknCtnKEPTunHmml1zI04wX0VSIBmjflF2K2QP65F8Gv0n0ME= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762871027; c=relaxed/simple; bh=e5GVvwwNh3mt36KCRc8l8SS+jQ/Eyzi0ZnDOF/cdYMk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=nMGOFx3qrByZL9A8ztFv0SY6V8BHrxTERxv1lj7yH7bRWsLQHSaJ0TCZI5i2jUUhAx8yVG3tgTHUZ2Ao3bmpOm4uskW6WcLrKsSRvKS3uVKwfX8zNFqPYRunoWpKH1X8wkCfSxw3Xrp6/trLNv628wm1aaZkxhS2PaLj2rL9dL4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=NKzj566x; arc=none smtp.client-ip=209.85.221.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="NKzj566x" Received: by mail-wr1-f74.google.com with SMTP id ffacd0b85a97d-42b366a76ffso1181955f8f.1 for ; Tue, 11 Nov 2025 06:23:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1762871024; x=1763475824; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=V0YnbncW7/D7B63+yYbX+qVCVwE/BIYX0SzfhRNXW+4=; b=NKzj566x+I/qc2FIhreES/EwnrLrDunetvoOiDC+fgZ5F1rtu5Pu+vYaj9EK2as+xU ZGvqxMmSRbA9e0nmzHV3vqplmGlq++tQQ/aMJ5WqZ+aHYL9mMuvMsK1McDnww+PLvPWL 6DxKPjdnycRsq/rLNZzQD4ZeN3wt0PM6govVl7jaNRciydT3w+UpI2/DKypU/rbwO5rg HCSANLc26ujktlEsuZPYyFHUbkmwdyvA8bbsnYcGj9uYmoY3Xa7CNZ2RZlz3G4KVwU4K DADpxFnz7PXt+0aC2PeFHI5Ecg68v2qALUYcSCY6A7qMQuCpWmXUMXZi3FrIBVRzrP1i zllQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762871024; x=1763475824; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=V0YnbncW7/D7B63+yYbX+qVCVwE/BIYX0SzfhRNXW+4=; b=GU/krRj1ZSPfzd8K1SD52jhHJNtN1yd7/UlGKDhmmPmUnZAurUZaPR+c2EvNb9uYVF 0+WXrGCDVYCHX62xU6MVW8kMbOW46RJR61rgaBP6iypNXgZKEs4B8qTtljYE5yGfcBVi LrfVjjbHgHehUG6CCtJWJL6fAvJvWYInMypzlJwHWojUvLCNo0He5Qbp7gR2ysu9BRi5 ck6iAyDvD+nq4NzDyKlSzkTYQ0J++9SHsz5nUfP9dMAHUQwqqXdiqDSlpTwx7+enC9ze d4PialA+A5l+z0+s90D3kCcgTkTWpfYU6rD5t16k7o42p0GJqowxgraFc3OtuaespfRI R6fw== X-Forwarded-Encrypted: i=1; AJvYcCW6+t0YJcgmnT443j67L6o9JlCUlPpqb9Ia2QlMy6jpPSMNs+OMR/TYMZ1pMEOU98QaD4DWcNwD0nuResM=@vger.kernel.org X-Gm-Message-State: AOJu0YwUQuWg9eZNohwVQiobO2msE2SJ32AILnzgHB8OzsbXtSNro+I6 fHQi2bfvM7UzWqafSPHY5cDpuQDi8wpZIFM0Vd9YSNvg7jY9tPnhxhi0+8a44l9E5Y/QwX8dTZK Aax4gTNcLCcZXoL5dJw== X-Google-Smtp-Source: AGHT+IFlmYhkLotEbVpBhIRfNq6n9bdvG2YLXC9Yuy8WZpthzfYTPHRt4svcZ54roRarvC6nzzaDm8ihzrXnPDM= X-Received: from wrbeg3.prod.google.com ([2002:a05:6000:21c3:b0:42b:29df:cc2c]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a5d:5d0f:0:b0:429:b1e4:1f79 with SMTP id ffacd0b85a97d-42b2dc6b007mr11121777f8f.58.1762871024258; Tue, 11 Nov 2025 06:23:44 -0800 (PST) Date: Tue, 11 Nov 2025 14:23:32 +0000 In-Reply-To: <20251111-binder-fix-list-remove-v1-0-8ed14a0da63d@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251111-binder-fix-list-remove-v1-0-8ed14a0da63d@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=4858; i=aliceryhl@google.com; h=from:subject:message-id; bh=e5GVvwwNh3mt36KCRc8l8SS+jQ/Eyzi0ZnDOF/cdYMk=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBpE0btTcI2L2I7+d+hvoAPqWdivJqIImxiqp03G PPLKdoMyk2JAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCaRNG7QAKCRAEWL7uWMY5 RgHxEACFvNzsgm7XSu3byU7bh78e7MqurtYIV7+8BcO6t/ZFWtq1GBKe32Cbyf00j9RPkFDMg9q 3VbENh5o2JtcHWUxJlwzO+Po8JG699/Q6+qFeA50+0jvFizuvZ26CCQg76jXy4egIgZVRlYdxcw oztrlwOoV8hXV1k1RvJpZJji9naqmQQfArA+i9W0O5+XnaIuQ/vzc5AjbukyHS8z0bDqic1Cw7T D1KDZ11xfkQtSMo9/crjqD451+QPrDHHFpYDNatV9BdsNPdJ+/Zlvhwc78/QWwUD7MlXWglTP8W hZTMpHxP6FUJ//Op0vBtZq4+7FDvpsTOgVPrA/jfMz76gTN1SEXq+0eeO4+FZEc0/dv8A0VB9XD +3RbYYDja0U7lC9aukqlChSzeZK7MoDfQ6Aj4kLMTexZJsq9Or1Cu5JCW2tIWuEYpu8OYFtpyI4 cOxd3aN1Zd317gf1UcyIvObS2A1YPd3B8pvNw6iX6zYFISkSEPFNlbGiqPAZ0G+2cv5yHtT+LDC icXupfhOwY2UeGARP888XWTPENWyP2SG8fa/RnAJh8Mb2R90uJWRIm0xO1bVqT30FOkr/Sq+2Gh jVQrVXZPwpesgr+Hroi32cUFbrXFLSMJDvcO25a6qjB0E5FfqY0l2dS0VWR5EutYJ0+AGz+Y9na MnO24HmNi8yvThw== X-Mailer: b4 0.14.2 Message-ID: <20251111-binder-fix-list-remove-v1-1-8ed14a0da63d@google.com> Subject: [PATCH 1/3] rust_binder: fix race condition on death_list From: Alice Ryhl To: Greg Kroah-Hartman , Carlos Llamas , Miguel Ojeda Cc: "=?utf-8?q?Arve_Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Suren Baghdasaryan , Boqun Feng , Gary Guo , "=?utf-8?q?Bj=C3=B6rn_Roy_Baron?=" , Benno Lossin , Andreas Hindborg , Trevor Gross , Danilo Krummrich , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Alice Ryhl , stable@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Rust Binder contains the following unsafe operation: // SAFETY: A `NodeDeath` is never inserted into the death list // of any node other than its owner, so it is either in this // death list or in no death list. unsafe { node_inner.death_list.remove(self) }; This operation is unsafe because when touching the prev/next pointers of a list element, we have to ensure that no other thread is also touching them in parallel. If the node is present in the list that `remove` is called on, then that is fine because we have exclusive access to that list. If the node is not in any list, then it's also ok. But if it's present in a different list that may be accessed in parallel, then that may be a data race on the prev/next pointers. And unfortunately that is exactly what is happening here. In Node::release, we: 1. Take the lock. 2. Move all items to a local list on the stack. 3. Drop the lock. 4. Iterate the local list on the stack. Combined with threads using the unsafe remove method on the original list, this leads to memory corruption of the prev/next pointers. This leads to crashes like this one: Unable to handle kernel paging request at virtual address 000bb9841bcac70e Mem abort info: ESR =3D 0x0000000096000044 EC =3D 0x25: DABT (current EL), IL =3D 32 bits SET =3D 0, FnV =3D 0 EA =3D 0, S1PTW =3D 0 FSC =3D 0x04: level 0 translation fault Data abort info: ISV =3D 0, ISS =3D 0x00000044, ISS2 =3D 0x00000000 CM =3D 0, WnR =3D 1, TnD =3D 0, TagAccess =3D 0 GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0 [000bb9841bcac70e] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] PREEMPT SMP google-cdd 538c004.gcdd: context saved(CPU:1) item - log_kevents is disabled Modules linked in: ... rust_binder CPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S W OE 6= .12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d23= 0b0b Tainted: [S]=3DCPU_OUT_OF_SPEC, [W]=3DWARN, [O]=3DOOT_MODULE, [E]=3DUNSIGN= ED_MODULE Hardware name: MUSTANG PVT 1.0 based on LGA (DT) Workqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync= 3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkIt= emPointerKy0_E3runB13_ [rust_binder] pstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=3D--) pc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCs= dfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder] lr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCs= dfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder] sp : ffffffc09b433ac0 x29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448 x26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578 x23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40 x20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00 x17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0 x14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0 x11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000 x8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00 Call trace: _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZW= D8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b536= 65bbc815363b22e97e3f7e3fe971fc] process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1c8 ret_from_fork+0x10/0x20 Code: 94218d85 b4000155 a94026a8 d10102a0 (f9000509) ---[ end trace 0000000000000000 ]--- Thus, modify Node::release to pop items directly off the original list. Cc: stable@vger.kernel.org Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver") Signed-off-by: Alice Ryhl Acked-by: Miguel Ojeda --- drivers/android/binder/node.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/android/binder/node.rs b/drivers/android/binder/node.rs index ade895ef791ec5746f9f5c1bfc15f47d59829455..107e08a3ba782225c0f8e03add2= 47ec667a970d6 100644 --- a/drivers/android/binder/node.rs +++ b/drivers/android/binder/node.rs @@ -541,10 +541,10 @@ pub(crate) fn release(&self) { guard =3D self.owner.inner.lock(); } =20 - let death_list =3D core::mem::take(&mut self.inner.access_mut(&mut= guard).death_list); - drop(guard); - for death in death_list { + while let Some(death) =3D self.inner.access_mut(&mut guard).death_= list.pop_front() { + drop(guard); death.into_arc().set_dead(); + guard =3D self.owner.inner.lock(); } } =20 --=20 2.51.2.1041.gc1ab5b90ca-goog From nobody Sat Feb 7 19:45:09 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22E482F8BFC for ; Tue, 11 Nov 2025 14:23:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762871028; cv=none; b=VZvR64p0OS0PfqbbhUPMdABxFF1X/WBKFBKrHBhwDLj134k2RhfqFu09OKDxh3GlCcnbnOwYXBDeR3hPa0dJRhGrGnEcRk4Ve+ZhsN2YdlaJigi2LGv3Z6JbPWa2NclDOx1oJ+2ZlI1zYLOcLi43mUdlkK3zmOq/4lbc2f8+nWg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762871028; c=relaxed/simple; bh=KAyxsyVI7rxJC2+bw+Vkk3KiDJtx/3PPEIACBwdvs08=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=fUOTaaDtKM0EjJk89r/bycM+qHSohB4b37qrNgIFoLuCqQxvsMuVxAit3FElW428tuTOIzKNyYK2/IKmBRSvc8HV2J1s+JIx0mYzbSO2sjzHpi3z+hCUBC6HAbFsB2N2Cb5XggyNnF9uSIvXXrK4Mx/n//3JdndB5xIFE4+Gm6o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=IR/qB5YW; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IR/qB5YW" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-4774836c376so22727425e9.2 for ; Tue, 11 Nov 2025 06:23:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1762871025; x=1763475825; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=znJZRiHsP/Uc78N1GNR0aqP0S6GuH1W4uou2Y4GH7sg=; b=IR/qB5YWfWFZj2yzX+PKlQ50KjHfHWfZW62nidZJ/FzNWU8G0Zu3dqe3Duz1O4tIjt tSFQYsFx9vsiX1GuychT7mjkQnbPhzjv62K6y/vGHr0cIVngv/Lb9UrT/bWGhL4ACm5D FJiN4HIKe16QXPZVT6BY6EQJxL35DZCiKKC1XRJC05gyiVESTNh+Y68b2L/nwCm34aFm wkb8zCU9YMiqMxsHgGvx9LywhhHZ7Tm/R3ORqCpRrBmyfXMQY5IUbiDIRGitc5zZWvof GXpgOYIMbOO6pBWI9TGslFH9WH7lYit37EHC0naQ91eTO6qWeQ/65lm1y4DMqdVLg3re mWIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762871025; x=1763475825; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=znJZRiHsP/Uc78N1GNR0aqP0S6GuH1W4uou2Y4GH7sg=; b=L9TcnW01RAu09jeQyyUuvLpmmwRVu4R2Xuigt98Zd/qSiB7hCUaEMjE0Q3kCmdq6Na wsr8StpTKPP1NhMPi/MaZQnshVmigNjCeTJ+BjG81nIsHovnLGi6Uz9qpfcsddxY+8MA nMTm90se1CQRnk4ooDuxqOmGyNymNXEMsvt/OdAfsXzRzYmevK88s5P11ON9hy932xRW K/hdI83fDYTSM/DSPfGICnnOmQN8X6DcX83wGbkjf6l52uD1eHaqluPGubaORGSyhNkL TKT2U2+eMsM00u8L6fT2ZTpJg1jR2H6yaPV70n8BJsWNxJFzcfJI7t7HE90jCb4vaB0Q i40g== X-Forwarded-Encrypted: i=1; AJvYcCX+mFIi36D74MG2I45qP3rGhpsl/yc5KVq9MJ/FL/iSD7zsdMRXY9XLpMWIETe615eZz4MhstGP1/vVo4I=@vger.kernel.org X-Gm-Message-State: AOJu0YzMf17TAsFbaG+ubTRLHq8vmdtWjWeENq0AYFskn5lAmWYg6jX6 LiYZHbZmqEpERHq79a1++BxLsTFwLF2t2frd8fF9webd1b/SxQs0R20hdzNoX8PMI+2EB+QXN/Y iu3j+ebs8A3JGZZDpbw== X-Google-Smtp-Source: AGHT+IE2YmYheg20DfmC1cGFkXFjFdLpncEwyzBzXL0yvogGpbwF2wMENRkrYHUukkMid2IGCnveYW66GtA9q1s= X-Received: from wmbg20.prod.google.com ([2002:a05:600c:a414:b0:45b:6337:ab6b]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:4e93:b0:46e:37fc:def0 with SMTP id 5b1f17b1804b1-47773239bf6mr104388655e9.9.1762871025621; Tue, 11 Nov 2025 06:23:45 -0800 (PST) Date: Tue, 11 Nov 2025 14:23:33 +0000 In-Reply-To: <20251111-binder-fix-list-remove-v1-0-8ed14a0da63d@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251111-binder-fix-list-remove-v1-0-8ed14a0da63d@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=1529; i=aliceryhl@google.com; h=from:subject:message-id; bh=KAyxsyVI7rxJC2+bw+Vkk3KiDJtx/3PPEIACBwdvs08=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBpE0btsQOvyXOMphFoNMnE1zWIjHLFNk4HQtKLB xWbRNwxiiSJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCaRNG7QAKCRAEWL7uWMY5 RuLJEACYEPvUcRF3T1OInJJZySTefUw1TIPsMSCcg7akYeqo4O1alQT8lffTaD/aOXucqHpWvpy M5kPdgcis/U2vsM7ea05d84aqkGfkZySok89V+SdzaX7lSx4g0ZSk4/QX6SquE3zDRYwwgfA1Mm MyegWBJmCen/spY6nsvLClGIhrdZlgfb9r4w9ZTTSLviJBG7o4eOuJTQpZ2H/xeKTmDQZNIQCml /k3bMWdR9fElvjhzwCKu3OlGfKq06gQWq6cs9ZacadPt0DOhCdRlInTfoqLc0z1Sb17mzbNHcq+ 28JihF0xoVpMLeaybvzXTJ8Y3V+shKRR96hCFnM6HZ2KXe7BCbByFqQU3K5q+8yL0Tvq8AjAR23 0n5MC6pKM2eZKoJfJKePK0UiKxQVmiUInEwSjFB6g1sfMmy27tgwAPVemMrVsVL57h3k+EQO6Zz qUy5cOX+etGKnOhcUhE9Vi9X8WETcVX8xMlcH5ds8uFOmg+6xCADH1vUEbxlgjEi1UcEbkC9vTu Xo+gInJlMrBlaBUWDBE2VyDhnK3/QwHv08UF+QXZAdjEwmNGQbQ8Egw78MDIY++x61P5qH9CPNx 5MP7qMLiGGqiT/ItQvE3k63P8MRf40qUEiU2yBkM588vzcvbCe5O9UqSP3pTY16bAa1t9HiapbF LX9LgkuB4/OcXIA== X-Mailer: b4 0.14.2 Message-ID: <20251111-binder-fix-list-remove-v1-2-8ed14a0da63d@google.com> Subject: [PATCH 2/3] rust_binder: avoid mem::take on delivered_deaths From: Alice Ryhl To: Greg Kroah-Hartman , Carlos Llamas , Miguel Ojeda Cc: "=?utf-8?q?Arve_Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Suren Baghdasaryan , Boqun Feng , Gary Guo , "=?utf-8?q?Bj=C3=B6rn_Roy_Baron?=" , Benno Lossin , Andreas Hindborg , Trevor Gross , Danilo Krummrich , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Alice Ryhl , stable@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Similar to the previous commit, List::remove is used on delivered_deaths, so do not use mem::take on it as that may result in violations of the List::remove safety requirements. I don't think this particular case can be triggered because it requires fd close to run in parallel with an ioctl on the same fd. But let's not tempt fate. Cc: stable@vger.kernel.org Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver") Signed-off-by: Alice Ryhl Acked-by: Miguel Ojeda --- drivers/android/binder/process.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/pro= cess.rs index f13a747e784c84a0fb09cbf47442712106eba07c..022f554bb049280126fdaf636dc= 7a41dd02c535e 100644 --- a/drivers/android/binder/process.rs +++ b/drivers/android/binder/process.rs @@ -1335,8 +1335,12 @@ fn deferred_release(self: Arc) { work.into_arc().cancel(); } =20 - let delivered_deaths =3D take(&mut self.inner.lock().delivered_dea= ths); - drop(delivered_deaths); + // Clear delivered_deaths list. + // + // Scope ensures that MutexGuard is dropped while executing the bo= dy. + while let Some(delivered_death) =3D { self.inner.lock().delivered_= deaths.pop_front() } { + drop(delivered_death); + } =20 // Free any resources kept alive by allocated buffers. let omapping =3D self.inner.lock().mapping.take(); --=20 2.51.2.1041.gc1ab5b90ca-goog From nobody Sat Feb 7 19:45:09 2026 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 733F43126DD for ; Tue, 11 Nov 2025 14:23:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762871031; cv=none; b=E68wu57OQomJKXc2NtuiTQqgjVe/nS0ZRh7UlY+NcQfNpZNleEfqr+0fuV5LnrdZMwywSkAdqOAGQpN4B3/Exl0KCWmifIQI8gQROHip13+aHcSqaZGGHZL3DXfQBo/s3hN/kti8PVIYjQEU97vLVNG6CtjD+pLm4lT3Rq5c2qs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762871031; c=relaxed/simple; bh=IBn3s7dR48AHoJ3Pzsml3XvtbVOaej+/nqZSqE/XgYs=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=WTBOCLe4fMsLuWMjBme4d9sfJbdpokRZxXna1C3Mt3zcTn9iXMhsMuhmFEJwLEiDrE9+lA5Iv7z67+bDQcjKf89/4xk1btT7fV9Y1pEu9cf4rTDWl7F0Jx72Y4RvLj2P/zJxD47t26QPjcM1mczOZ5LJKjAiHnVSqg5MzeESHYA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=darCBIAd; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="darCBIAd" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-429cceeeb96so2239547f8f.1 for ; Tue, 11 Nov 2025 06:23:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1762871028; x=1763475828; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=wh3535BciDSZ8H5Ye4tujgraUfcumpYGZ+HQQQL9kno=; b=darCBIAdjtAhruxykBIIZLZFJrNW0Ad/opd8JYrMwzfPlrJSouSHCw6kusvRIKi+bu ek4UN9lAN98kHUuPy4I8yyLGKb2xSIIl7TTX5Yjhv1V9g0cIaR0jVwSXNtxNfyvTl4NY TN1EjUvRjwNMRvkF7S1W1A7E6THnMWjhXBwDPDF52hHdtmsoPlPRHWQZf1hACuK9Xqo0 zVF05q+b1qqHcH0bol+hOFj/dFpnUSxa1pZlZE8sxxk2899DGuVqz3h1ms6dszFq4akd QMuU0lJIoJIT/MpKXeFg6k9jU1N89HeowSn3k0iCmeI6b6Newdnnsi/oR4+tEpyKp42m tddw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762871028; x=1763475828; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wh3535BciDSZ8H5Ye4tujgraUfcumpYGZ+HQQQL9kno=; b=SkH1HTD0IGoNk3KHPESHqZke80i/SNkx6tGFY91A1FTC70pkoU1eNbrfS5v7Ogmu+O CqrNG/jRuDy9+/inNfuB6+2Rw4uJMzGmE73EKLKeFrSGXSsaPE+IzEGn6g3+ZAMkKA6N Fm1gfyjXuB2sAi1HHw6FCFfRvooEnLeegwBf11CCHWxgSHu+WTP+SG8X/9YMQ9AgugFz ypvTazAYgjHr9HirNiVzSOQ8AjUiD/QjL9sCMyL9MOlhI2g2SfxLHUnx//Qyg6QisUgh 3yZwX6/XdiWzOJ+b0bdpDgOZCCa+5X/l4x8uroEfUSaoT7Xk7lzFC6rCc1RqHu7YtB+b Zh9Q== X-Forwarded-Encrypted: i=1; AJvYcCVb/PKtdEoCxzedwIMgUgQX0aPeiJLTzRHDVgo92OEwdWFhXCC7qrrnJH5SpBKKIg4z0sejlAbJt9s1eDg=@vger.kernel.org X-Gm-Message-State: AOJu0YzZlf/8m37ktyX+cbfBT7tnsnGfs6uZuEimAjywCtU1/RNkGvZ1 ChBIxe2PPs9X3I8cLl6Ta5BFu4F2x5HOedoOFHpNVegFQcvY3ZO/iVfrZlWhOT+9TI4Fymo9KW1 mGBZAogBMiVqmJRxKzQ== X-Google-Smtp-Source: AGHT+IGwO+OuWt3zh/4o+kLcFYmMzAzbIBHhauOcZnz7ErY2FoxXjlDIlMacaOviUou60qPv87TPtREZN9KeBZU= X-Received: from wrvs14.prod.google.com ([2002:a5d:4ece:0:b0:425:f04a:4d98]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:2483:b0:42b:3b55:8928 with SMTP id ffacd0b85a97d-42b3b558b82mr7021331f8f.20.1762871027849; Tue, 11 Nov 2025 06:23:47 -0800 (PST) Date: Tue, 11 Nov 2025 14:23:34 +0000 In-Reply-To: <20251111-binder-fix-list-remove-v1-0-8ed14a0da63d@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251111-binder-fix-list-remove-v1-0-8ed14a0da63d@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=1175; i=aliceryhl@google.com; h=from:subject:message-id; bh=IBn3s7dR48AHoJ3Pzsml3XvtbVOaej+/nqZSqE/XgYs=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBpE0bt1g9lZ+YcNINcULJP4tTjbI73pg1hfY+U1 HmrSpX4U5WJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCaRNG7QAKCRAEWL7uWMY5 RpGnD/0YGlOKLEoF0Nikg/FT2gIa2ITJjO8dajkRQmiWu6QAiDepE/TMkUmEvLoHkFyI9Q+F3N+ cYcCjXmsPytiMOtsgTb8yCcoOWPvbHXp440hJrrIbVFhrR6yfonevjsxmiNfEodVlKd+7C3Z9jC TYMO+zGeD7SE/uz1GBTkb/cw3xMhb1PnyOvemQ2w98hVf2VLOcDnY9YXi+o396OCI6JPqcLklLa slG+8JhVixCRpOcW422lPrfR8mvqJC3oPmNj8GiaFCMFyLfr9tuK5Wvtw5iFM7FBYgddh5pdb1/ 5B6Es8696AjrQKcDd8RnHBRiktn2Tnb69cUC9KnVyiWeIjoZf6U1opAcDbEMdqiTWlVZkMizImP x3WR8UrbKYhh1L+69IuVAFMrjYdkP9oIEedaL+uq8UuDCo3p+lJ3xlVDvKa0pNwMM8gtLtvNvh1 1di5ZoTmXzH7lHlkom3qMKwfFvwww+BRvzYkIwhdtO9Ji9C5SGLWDd1GEm4YeEUo5RN0Pm0FTt4 bdqEMVBmbIi+xFteCLsyGRkbHM4GpHJoNW4WKE86TKzyUqEBAXG7LNuv1J/IR/lajGNOHS9G0jm FMxpv/pET2uc7Mt5qVvjkNjIENoo5mD97C7+7hI3PhhIaNVz1eBQIxGUXXfUFPs3NzX6iz4Pc38 HBqnBXqH8PS1zhQ== X-Mailer: b4 0.14.2 Message-ID: <20251111-binder-fix-list-remove-v1-3-8ed14a0da63d@google.com> Subject: [PATCH 3/3] rust: list: add warning to List::remove docs about mem::take From: Alice Ryhl To: Greg Kroah-Hartman , Carlos Llamas , Miguel Ojeda Cc: "=?utf-8?q?Arve_Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Suren Baghdasaryan , Boqun Feng , Gary Guo , "=?utf-8?q?Bj=C3=B6rn_Roy_Baron?=" , Benno Lossin , Andreas Hindborg , Trevor Gross , Danilo Krummrich , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Alice Ryhl Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The previous patches in this series illustrate why the List::remove method is really dangerous. I think the real takeaway here is to replace the linked lists with a different data structure without this unsafe footgun, but for now we fix the bugs and add a warning to the docs. Signed-off-by: Alice Ryhl Acked-by: Miguel Ojeda --- rust/kernel/list.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rust/kernel/list.rs b/rust/kernel/list.rs index 7355bbac16a7fe7feeb8bc6408671817b186b21d..8349ff32fc37ff7141fb7c62d26= 653bda6507f91 100644 --- a/rust/kernel/list.rs +++ b/rust/kernel/list.rs @@ -576,6 +576,9 @@ pub fn pop_front(&mut self) -> Option> { /// This returns `None` if the item is not in the list. (Note that by = the safety requirements, /// this means that the item is not in any list.) /// + /// When using this method, be careful with using `mem::take` on the s= ame list as that may + /// result in violating the safety requirements of this method. + /// /// # Safety /// /// `item` must not be in a different linked list (with the same id). --=20 2.51.2.1041.gc1ab5b90ca-goog