github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-12 08:43:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d2437b10ba
linux/drivers
History
Christian Brauner d2437b10ba UPSTREAM: binderfs: use refcount for binder control devices too 
Binderfs binder-control devices are cleaned up via binderfs_evict_inode
too() which will use refcount_dec_and_test(). However, we missed to set
the refcount for binderfs binder-control devices and so we underflowed
when the binderfs instance got unmounted. Pretty obvious oversight and
should have been part of the more general UAF fix. The good news is that
having test cases (suprisingly) helps.

Technically, we could detect that we're about to cleanup the
binder-control dentry in binderfs_evict_inode() and then simply clean it
up. But that makes the assumption that the binder driver itself will
never make use of a binderfs binder-control device after the binderfs
instance it belongs to has been unmounted and the superblock for it been
destroyed. While it is unlikely to ever come to this let's be on the
safe side. Performance-wise this also really doesn't matter since the
binder-control device is only every really when creating the binderfs
filesystem or creating additional binder devices. Both operations are
pretty rare.

Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 211b64e4b5)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Idb5e9e8945fa95506f3ff4f15bde3efaf65d7c9f
2020-11-16 07:43:08 +01:00
..
accessibility
acpi This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
amba
android UPSTREAM: binderfs: use refcount for binder control devices too 2020-11-16 07:43:08 +01:00
ata ata: sata_nv: Fix retrieving of active qcs 2020-11-05 11:08:38 +01:00
atm atm: eni: fix the missed pci_disable_device() for eni_init_one() 2020-10-01 13:14:51 +02:00
auxdisplay
base UPSTREAM: PM: sleep: wakeup: Skip wakeup_source_sysfs_remove() if device is not there 2020-11-16 07:43:08 +01:00
bcma
block This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
bluetooth Bluetooth: hci_uart: Cancel init work before unregistering 2020-10-29 09:55:05 +01:00
bus bus/fsl_mc: Do not rely on caller to provide non NULL mc_io 2020-11-05 11:08:43 +01:00
cdrom
char This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
clk This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
clocksource This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
connector
cpufreq This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
cpuidle This is the 4.19.144 stable release 2020-09-09 19:48:58 +02:00
crypto This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
dax
dca
devfreq This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
dio
dma dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status 2020-11-05 11:08:50 +01:00
dma-buf UPSTREAM: dma-buf: free dmabuf->name in dma_buf_release() 2020-11-15 15:40:31 +00:00
edac This is the 4.19.153 stable release 2020-10-29 11:36:20 +01:00
eisa
energy_model
extcon This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
firewire
firmware This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
fmc
fpga fpga: dfl: fix bug in port reset handshake 2020-07-29 10:16:48 +02:00
fsi
gnss This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
gpio This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
gpu This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
hid This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
hsi
hv Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload 2020-09-23 12:10:59 +02:00
hwmon This is the 4.19.153 stable release 2020-10-29 11:36:20 +01:00
hwspinlock
hwtracing UPSTREAM: coresight: tmc: Fix bad register address for CLAIM 2020-11-15 15:06:03 +01:00
i2c This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
ide
idle
iio This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
infiniband This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
input UPSTREAM: Input: fix stale timestamp on key autorepeat events 2020-11-16 07:43:08 +01:00
iommu This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip This is the 4.19.143 stable release 2020-09-03 13:19:20 +02:00
isdn PCI: add USR vendor id and use it in r8169 and w6692 driver 2020-06-22 09:05:23 +02:00
leds leds: bcm6328, bcm6358: use devres LED registering function 2020-11-05 11:08:46 +01:00
lightnvm
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:05:29 +02:00
mailbox This is the 4.19.154 stable release 2020-10-30 11:43:26 +01:00
mcb
md This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
media This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
memory memory: emif: Remove bogus debugfs error handling 2020-11-05 11:08:45 +01:00
memstick
message scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() 2020-11-05 11:08:47 +01:00
mfd mfd: sm501: Fix leaks in probe() 2020-10-29 09:55:13 +01:00
misc This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
mmc This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
mtd ubi: check kthread_should_stop() after the setting of task state 2020-11-05 11:08:52 +01:00
mux
net This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
nfc NFC: st95hf: Fix memleak in st95hf_in_send_cmd 2020-09-17 13:45:24 +02:00
ntb NTB: hw: amd: fix an issue about leak system resources 2020-10-30 10:38:25 +01:00
nubus
nvdimm This is the 4.19.127 stable release 2020-06-07 14:25:43 +02:00
nvme nvme-rdma: fix crash when connect rejected 2020-11-05 11:08:45 +01:00
nvmem This is the 4.19.128 stable release 2020-06-11 09:16:29 +02:00
of This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
opp
oprofile
parisc parisc: mask out enable and reserved bits from sba imask 2020-08-19 08:15:07 +02:00
parport
pci This is the 4.19.154 stable release 2020-10-30 11:43:26 +01:00
pcmcia
perf drivers/perf: xgene_pmu: Fix uninitialized resource struct 2020-10-29 09:55:00 +01:00
phy phy: samsung: s5pv210-usb2: Add delay after reset 2020-10-01 13:14:44 +02:00
pinctrl pinctrl: mcp23s08: Fix mcp23x17 precious range 2020-10-29 09:55:10 +01:00
platform This is the 4.19.153 stable release 2020-10-29 11:36:20 +01:00
pnp
power This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
powercap powercap: restrict energy meter to root access 2020-11-10 21:11:27 +01:00
pps
ps3
ptp
pwm This is the 4.19.154 stable release 2020-10-30 11:43:26 +01:00
rapidio rapidio: fix the missed put_device() for rio_mport_add_riodev 2020-10-30 10:38:21 +01:00
ras
regulator This is the 4.19.153 stable release 2020-10-29 11:36:20 +01:00
remoteproc remoteproc: qcom: q6v5: Update running state before requesting stop 2020-08-21 11:05:34 +02:00
reset
rpmsg rpmsg: glink: Use complete_all for open states 2020-11-05 11:08:43 +01:00
rtc This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
s390 s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl 2020-10-01 13:14:54 +02:00
sbus
scsi This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
sfi
sh
siox
slimbus slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback 2020-10-29 09:55:12 +01:00
sn
soc This is the 4.19.140 stable release 2020-08-19 08:43:22 +02:00
soundwire
spi This is the 4.19.153 stable release 2020-10-29 11:36:20 +01:00
spmi Revert "ANDROID: GKI: spmi: pmic-arb: don't enable SPMI_MSM_PMIC_ARB by default" 2020-05-01 19:41:44 +00:00
ssb
staging This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
target scsi: target: tcmu: Fix warning: 'page' may be used uninitialized 2020-10-29 09:55:14 +01:00
tc
tee
thermal This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty This is the 4.19.156 stable release 2020-11-10 13:23:09 +01:00
uio uio: free uio id after uio file node is freed 2020-11-05 11:08:42 +01:00
usb UPSTREAM: usb: typec: altmode: Fix typec_altmode_get_partner sometimes returning an invalid pointer 2020-11-16 07:43:08 +01:00
uwb
vfio This is the 4.19.154 stable release 2020-10-30 11:43:26 +01:00
vhost This is the 4.19.155 stable release 2020-11-05 14:02:27 +01:00
video video: fbdev: pvr2fb: initialize variables 2020-11-05 11:08:39 +01:00
virt drivers/virt/fsl_hypervisor: Fix error handling path 2020-10-29 09:55:09 +01:00
virtio This is the 4.19.142 stable release 2020-08-26 11:07:03 +02:00
visorbus
vlynq
vme
w1 w1: mxc_w1: Fix timeout resolution problem leading to bus error 2020-11-05 11:08:47 +01:00
watchdog drivers: watchdog: rdc321x_wdt: Fix race condition bugs 2020-11-05 11:08:44 +01:00
xen xen/events: block rogue events for some time 2020-11-05 11:08:37 +01:00
zorro
Kconfig UPSTREAM: gpu/trace: add a gpu total memory usage tracepoint 2020-04-21 15:34:05 +00:00
Makefile