Todd Kjos 80cd795630 binder: fix use-after-free due to ksys_close() during fdget() ... 44d8047f1d ("binder: use standard functions to allocate fds") exposed a pre-existing issue in the binder driver. fdget() is used in ksys_ioctl() as a performance optimization. One of the rules associated with fdget() is that ksys_close() must not be called between the fdget() and the fdput(). There is a case where this requirement is not met in the binder driver which results in the reference count dropping to 0 when the device is still in use. This can result in use-after-free or other issues. If userpace has passed a file-descriptor for the binder driver using a BINDER_TYPE_FDA object, then kys_close() is called on it when handling a binder_ioctl(BC_FREE_BUFFER) command. This violates the assumptions for using fdget(). The problem is fixed by deferring the close using task_work_add(). A new variant of __close_fd() was created that returns a struct file with a reference. The fput() is deferred instead of using ksys_close(). Fixes: 44d8047f1d ("binder: use standard functions to allocate fds") Suggested-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2018-12-19 09:40:13 +01:00
..
binder.c	binder: fix use-after-free due to ksys_close() during fdget()	2018-12-19 09:40:13 +01:00
binder_alloc.c	Merge 4.20-rc5 into char-misc-next	2018-12-03 07:56:15 +01:00
binder_alloc.h	binder: fix kerneldoc header for struct binder_buffer	2018-12-06 15:44:14 +01:00
binder_alloc_selftest.c	android: binder: Add global lru shrinker to binder	2017-08-28 16:47:17 +02:00
binder_trace.h	binder: use standard functions to allocate fds	2018-09-14 15:22:36 +02:00
Kconfig	binder: use standard functions to allocate fds	2018-09-14 15:22:36 +02:00
Makefile	android: binder: Add allocator selftest	2017-08-28 16:47:17 +02:00