7:53 a.m.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 1e2a199f6ccdc15cf111d68d212e2fd4ce65682e
commit: f3277cbfba763cd2826396521b9296de67cf1bbc binder: fix UAF when releasing todo list
date: 3 months ago
config: nds32-randconfig-m031-20210120 (attached as .config)
compiler: nds32le-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp(a)intel.com>
New smatch warnings:
drivers/android/binder.c:4585 (null)() warn: inconsistent indenting
drivers/android/binder.c:4586 (null)() warn: ignoring unreachable code.
Old smatch warnings:
drivers/android/binder.c:2342 binder_transaction_buffer_release() warn: if();
drivers/android/binder.c:2401 binder_transaction_buffer_release() warn: inconsistent
indenting
drivers/android/binder.c:2402 binder_transaction_buffer_release() warn: ignoring
unreachable code.
drivers/android/binder.c:4593 (null)() warn: inconsistent indenting
drivers/android/binder.c:4599 (null)() warn: inconsistent indenting
drivers/android/binder.c:4610 (null)() warn: inconsistent indenting
drivers/android/binder.c:4616 (null)() warn: inconsistent indenting
drivers/android/binder.c:5170 binder_mmap() warn: if();
vim +4585 drivers/android/binder.c
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4562
72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4563
static void binder_release_work(struct binder_proc *proc,
72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4564
struct list_head *list)
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4565 {
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4566
struct binder_work *w;
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4567
enum binder_work_type wtype;
10f62861b4a2f22c drivers/staging/android/binder.c Seunghun Lee 2014-05-01 4568
72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4569
while (1) {
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4570
binder_inner_proc_lock(proc);
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4571 w
= binder_dequeue_work_head_ilocked(list);
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4572
wtype = w ? w->type : 0;
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4573
binder_inner_proc_unlock(proc);
72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4574
if (!w)
72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4575
return;
72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4576
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4577
switch (wtype) {
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4578
case BINDER_WORK_TRANSACTION: {
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4579
struct binder_transaction *t;
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4580
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4581
t = container_of(w, struct binder_transaction, work);
fb2c445277e7b0b4 drivers/android/binder.c Martijn Coenen 2017-11-13 4582
fb2c445277e7b0b4 drivers/android/binder.c Martijn Coenen 2017-11-13 4583
binder_cleanup_transaction(t, "process died.",
fb2c445277e7b0b4 drivers/android/binder.c Martijn Coenen 2017-11-13 4584
BR_DEAD_REPLY);
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 @4585 }
break;
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 @4586
case BINDER_WORK_RETURN_ERROR: {
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4587
struct binder_error *e = container_of(
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4588
w, struct binder_error, work);
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4589
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4590
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4591
"undelivered TRANSACTION_ERROR: %u\n",
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4592
e->cmd);
26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4593 }
break;
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4594
case BINDER_WORK_TRANSACTION_COMPLETE: {
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4595
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
56b468fc709b2b96 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4596
"undelivered TRANSACTION_COMPLETE\n");
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4597
kfree(w);
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4598
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4599 }
break;
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4600
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4601
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4602
struct binder_ref_death *death;
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4603
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4604
death = container_of(w, struct binder_ref_death, work);
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4605
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
da49889deb34d351 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4606
"undelivered death notification, %016llx\n",
da49889deb34d351 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4607
(u64)death->cookie);
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4608
kfree(death);
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4609
binder_stats_deleted(BINDER_STAT_DEATH);
675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4610 }
break;
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4611
case BINDER_WORK_NODE:
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4612
break;
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4613
default:
56b468fc709b2b96 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4614
pr_err("unexpected work type, %d, not freed\n",
f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4615
wtype);
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4616
break;
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4617
}
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4618 }
355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4619
:::::: The code at line 4585 was first introduced by commit
:::::: 355b0502f6efea0ff9492753888772c96972d2a3 Revert "Staging: android: delete
android drivers"
:::::: TO: Greg Kroah-Hartman <gregkh(a)suse.de>
:::::: CC: Greg Kroah-Hartman <gregkh(a)suse.de>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org