| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Oct 2019 15:34:14 +0200
From: "Christian Brauner" <christian.brauner@...ntu.com>
To: "Jann Horn" <jannh@...gle.com>,
"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
Arve Hjønnevåg <arve@...roid.com>,
"Todd Kjos" <tkjos@...roid.com>,
"Martijn Coenen" <maco@...roid.com>,
"Joel Fernandes" <joel@...lfernandes.org>,
"Christian Brauner" <christian@...uner.io>, <jannh@...gle.com>
Cc: <devel@...verdev.osuosl.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/3] binder: Fix race between mmap() and
binder_alloc_print_pages()
On Fri Oct 18, 2019 at 10:56 PM Jann Horn wrote:
> binder_alloc_print_pages() iterates over
> alloc->pages[0..alloc->buffer_size-1] under alloc->mutex.
> binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size
> without holding that lock, and even writes them before the last bailout
> point.
>
> Unfortunately we can't take the alloc->mutex in the ->mmap() handler
> because mmap_sem can be taken while alloc->mutex is held.
> So instead, we have to locklessly check whether the binder_alloc has been
> fully initialized with binder_alloc_get_vma(), like in
> binder_alloc_new_buf_locked().
>
> Fixes: 8ef4665aa129 ("android: binder: Add page usage in binder stats")
> Cc: stable@...r.kernel.org
> Signed-off-by: Jann Horn <jannh@...gle.com>
Ok, I see a smp_wmb() in binder_alloc_set_vma() which is called in
binder_alloc_mmap_handler() paired with a smp_rmb() in
binder_alloc_get_vma(). That makes sense to me.
Acked-by: Christian Brauner <christian.brauner@...ntu.com>
Powered by blists - more mailing lists