redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers
History
Todd Kjos 80cd795630 binder: fix use-after-free due to ksys_close() during fdget() 
44d8047f1d ("binder: use standard functions to allocate fds")
exposed a pre-existing issue in the binder driver.

fdget() is used in ksys_ioctl() as a performance optimization.
One of the rules associated with fdget() is that ksys_close() must
not be called between the fdget() and the fdput(). There is a case
where this requirement is not met in the binder driver which results
in the reference count dropping to 0 when the device is still in
use. This can result in use-after-free or other issues.

If userpace has passed a file-descriptor for the binder driver using
a BINDER_TYPE_FDA object, then kys_close() is called on it when
handling a binder_ioctl(BC_FREE_BUFFER) command. This violates
the assumptions for using fdget().

The problem is fixed by deferring the close using task_work_add(). A
new variant of __close_fd() was created that returns a struct file
with a reference. The fput() is deferred instead of using ksys_close().

Fixes: 44d8047f1d ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2018-12-19 09:40:13 +01:00
..
accessibility
acpi thunderbolt: Changes for v4.21 merge window 2018-12-10 13:26:17 +01:00
amba
android binder: fix use-after-free due to ksys_close() during fdget() 2018-12-19 09:40:13 +01:00
ata libata: whitelist all SAMSUNG MZ7KM* solid-state disks 2018-12-03 12:54:39 -07:00
atm firestream: fix spelling mistake: "Inititing" -> "Initializing" 2018-11-27 15:32:06 -08:00
auxdisplay The Compiler Attributes series 2018-11-01 18:34:46 -07:00
base devres: Align data[] to ARCH_KMALLOC_MINALIGN 2018-11-11 11:40:04 -08:00
bcma
block for-linus-20181115 2018-11-16 09:31:59 -06:00
bluetooth Merge branch 'work.tty-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-10-24 14:43:41 +01:00
bus bus: fsl-mc: remove duplicated include files 2018-12-06 15:53:20 +01:00
cdrom gdrom: fix mistake in assignment of error 2018-10-25 11:17:40 -06:00
char char: virtio: Change to use DEFINE_SHOW_ATTRIBUTE macro 2018-12-06 15:42:18 +01:00
clk clk: zynqmp: Off by one in zynqmp_is_valid_clock() 2018-12-03 09:54:48 -08:00
clocksource Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-11-11 16:41:50 -06:00
connector
cpufreq cpufreq: ti-cpufreq: Only register platform_device when supported 2018-11-19 11:26:06 +01:00
cpuidle ARM: cpuidle: Convert to use cpuidle_register|unregister() 2018-11-08 18:53:00 +01:00
crypto crypto: hisilicon - Fix reference after free of memories on error path 2018-11-09 17:35:43 +08:00
dax
dca
devfreq
dio
dma dmaengine: dw: Fix FIFO size for Intel Merrifield 2018-12-06 22:53:05 +05:30
dma-buf udmabuf: set read/write flag when exporting 2018-11-16 08:50:53 +01:00
edac * skx_edac: Address translation for NVDIMMs (Tony Luck and Qiuxu Zhuo) 2018-11-02 11:17:22 -07:00
eisa
extcon extcon: max8997: Fix lack of path setting in USB device mode 2018-11-14 09:06:32 +09:00
firewire
firmware firmware: stratix10-svc: fix wrong of_node_put() in init function 2018-12-06 15:42:18 +01:00
fmc
fpga fpga: of-fpga-region: Use platform_set_drvdata 2018-11-26 20:47:10 +01:00
fsi fsi: fsi-scom.c: Remove duplicate header 2018-11-26 10:13:04 +11:00
gnss gnss: sirf: fix activation retry handling 2018-12-06 17:22:23 +01:00
gpio ARM: SoC fixes 2018-12-02 12:19:44 -08:00
gpu drm/ast: Fix connector leak during driver unload 2018-12-06 14:12:02 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-12-04 08:47:04 -08:00
hsi
hv Merge 4.20-rc6 into char-misc-next 2018-12-10 09:22:34 +01:00
hwmon hwmon: (w83795) temp4_type has writable permission 2018-11-18 14:34:56 -08:00
hwspinlock
hwtracing coresight: fix spelling mistake "deffered" -> "deferred" 2018-12-06 15:41:56 +01:00
i2c i2c: uniphier-f: fix violation of tLOW requirement for Fast-mode 2018-12-06 23:14:59 +01:00
ide ide: Change to use DEFINE_SHOW_ATTRIBUTE macro 2018-12-02 22:09:09 -08:00
idle Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-10-23 13:32:18 +01:00
iio iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers 2018-11-16 11:42:12 +00:00
infiniband RDMA/mlx5: Initialize return variable in case pagefault was skipped 2018-11-29 15:16:45 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-12-04 08:47:04 -08:00
iommu iommu/vt-d: Do not enable ATS for untrusted devices 2018-12-05 12:01:56 +03:00
ipack
irqchip irqchip/irq-mvebu-sei: Fix a NULL vs IS_ERR() bug in probe function 2018-11-01 12:38:48 +01:00
isdn Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-11-01 19:58:52 -07:00
leds LED fixes for 4.20-rc2 2018-11-08 17:49:04 -06:00
lightnvm lightnvm: pblk: guarantee that backpointer is respected on writer stall 2018-10-09 08:25:08 -06:00
macintosh memblock: stop using implicit alignment to SMP_CACHE_BYTES 2018-10-31 08:54:16 -07:00
mailbox - Convert print users to use the %pOFn format specifier 2018-10-29 10:30:44 -07:00
mcb
md for-linus-20181102 2018-11-02 11:25:48 -07:00
media media: dvb-pll: don't re-validate tuner frequencies 2018-11-27 13:51:32 -05:00
memory
memstick
message
mfd Revert "mfd: cros_ec: Use devm_kzalloc for private data" 2018-12-05 09:59:38 +00:00
misc misc: ti-st: make array read_ver_cmd static, shrinks object size 2018-12-06 15:53:15 +01:00
mmc mmc: sdhci-pci: Workaround GLK firmware failing to restore the tuning value 2018-11-19 14:11:07 +01:00
mtd mtd: add support for reading MTD devices via the nvmem API 2018-12-06 15:48:54 +01:00
mux This is the bulk of GPIO changes for the v4.20 series: 2018-10-23 08:45:05 +01:00
net bnxt_en: Fix _bnxt_get_max_rings() for 57500 chips. 2018-12-09 11:46:58 -08:00
nfc NFC: nfcmrvl_uart: fix OF child-node lookup 2018-10-23 13:28:53 -05:00
ntb ntb: idt: Alter the driver info comments 2018-11-01 10:33:12 -04:00
nubus
nvdimm libnvdimm, pfn: Pad pfn namespaces relative to other regions 2018-12-05 14:16:12 -08:00
nvme nvmet-rdma: fix response use after free 2018-12-07 07:11:11 -08:00
nvmem nvmem: add new config option 2018-12-06 15:45:46 +01:00
of Devicetree fixes for 4.20-rc: 2018-11-09 16:41:58 -06:00
opp OPP: Fix parsing of multiple phandles in "operating-points-v2" property 2018-11-23 10:47:21 +05:30
oprofile
parisc parisc: Add alternative coding infrastructure 2018-10-17 17:22:26 +02:00
parport parport: parport_pc: Mark expected switch fall-through 2018-11-27 08:31:27 +01:00
pci thunderbolt: Changes for v4.21 merge window 2018-12-10 13:26:17 +01:00
pcmcia powerpc updates for 4.20 2018-10-26 14:36:21 -07:00
perf arm64 updates for 4.20: 2018-10-22 17:30:06 +01:00
phy phy: qcom-qusb2: Fix HSTX_TRIM tuning with fused value for SDM845 2018-11-21 13:13:58 +05:30
pinctrl pinctrl: meson: fix meson8b ao pull register bits 2018-11-05 09:33:22 +01:00
platform pvpanic: move pvpanic to misc as common driver 2018-11-07 13:53:03 +01:00
pnp
power Devicetree updates for 4.20: 2018-10-26 12:09:58 -07:00
powercap Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-10-23 13:32:18 +01:00
pps pps: using ERR_PTR instead of NULL while pps_register_source fails 2018-11-27 10:05:36 +01:00
ps3
ptp ptp: drop redundant kasprintf() to create worker name 2018-10-28 19:20:06 -07:00
pwm pwm: lpss: Only set update bit if we are actually changing the settings 2018-10-16 13:16:15 +02:00
rapidio
ras
regulator regulator: Regulator updates for next release 2018-10-23 01:54:44 +01:00
remoteproc remoteproc: qcom: q6v5-mss: Register segments/dumpfn for coredump 2018-10-19 12:54:03 -07:00
reset ARM: SoC driver updates for 4.17 2018-10-29 15:16:01 -07:00
rpmsg
rtc Staging and IIO driver fixes for 4.20-rc5 2018-11-30 12:23:44 -08:00
s390 virtio/s390: fix race in ccw_io_helper() 2018-12-06 14:22:35 -05:00
sbus drivers/sbus/char: add of_node_put() 2018-12-02 20:55:23 -08:00
scsi SCSI fixes on 20181206 2018-12-05 17:06:31 -08:00
sfi mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
sh
siox
slimbus slimbus: ngd: fix spelling mistake "exeeds" -> "exceeds" 2018-12-06 15:50:06 +01:00
sn
soc soc: ti: QMSS: Fix usage of irq_set_affinity_hint 2018-11-02 11:22:09 -07:00
soundwire soundwire: intel: constify snd_soc_dai_ops structures 2018-11-12 15:36:06 +05:30
spi spi: Fixes for v4.20 2018-11-28 08:33:55 -08:00
spmi
ssb
staging Staging fixes for 4.20-rc6 2018-12-09 10:35:33 -08:00
target scsi: target/core: Avoid that a kernel oops is triggered when COMPARE AND WRITE fails 2018-11-05 22:16:00 -05:00
tc TC: Set DMA masks for devices 2018-10-11 09:16:44 -07:00
tee
thermal thermal: broadcom: constify thermal_zone_of_device_ops structure 2018-12-05 06:47:46 -08:00
thunderbolt thunderbolt: Export IOMMU based DMA protection support to userspace 2018-12-05 12:01:56 +03:00
tty TTY driver fixes for 4.20-rc6 2018-12-09 10:24:29 -08:00
uio uio: dismiss waiters on device unregistration 2018-11-27 11:19:10 +01:00
usb USB-serial fix for v4.20-rc6 2018-12-06 18:02:58 +01:00
uwb
vfio VFIO updates for v4.20 2018-10-31 11:01:38 -07:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-09 15:12:33 -08:00
video fbdev changes for v4.20: 2018-10-31 11:41:37 -07:00
virt vbox: fix link error with 'gcc -Og' 2018-11-11 12:58:27 -08:00
virtio virtio-balloon: VIRTIO_BALLOON_F_PAGE_POISON 2018-10-24 20:57:55 -04:00
visorbus
vlynq
vme
w1 w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size). 2018-10-15 20:50:32 +02:00
watchdog watchdog: ts4800: release syscon device node in ts4800_wdt_probe() 2018-10-22 10:16:28 +02:00
xen xen: fixes for 4.20-rc5 2018-12-02 12:15:55 -08:00
zorro
Kconfig
Makefile