lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250804002335.3613254-18-sashal@kernel.org>
Date: Sun,  3 Aug 2025 20:22:27 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
	stable@...r.kernel.org
Cc: Tiffany Yang <ynaffit@...gle.com>,
	Carlos Llamas <cmllamas@...gle.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Sasha Levin <sashal@...nel.org>,
	arve@...roid.com,
	tkjos@...roid.com,
	maco@...roid.com,
	joelagnelf@...dia.com,
	surenb@...gle.com,
	linux-kernel@...r.kernel.org
Subject: [PATCH AUTOSEL 6.16 18/85] binder: Fix selftest page indexing

From: Tiffany Yang <ynaffit@...gle.com>

[ Upstream commit bea3e7bfa2957d986683543cbf57092715f9a91b ]

The binder allocator selftest was only checking the last page of buffers
that ended on a page boundary. Correct the page indexing to account for
buffers that are not page-aligned.

Signed-off-by: Tiffany Yang <ynaffit@...gle.com>
Acked-by: Carlos Llamas <cmllamas@...gle.com>
Link: https://lore.kernel.org/r/20250714185321.2417234-2-ynaffit@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---

LLM Generated explanations, may be completely bogus:

**Backport Status: YES**

This commit fixes a genuine bug in the binder allocator selftest that
causes incorrect page boundary checking. The bug is an off-by-one error
in the page indexing calculation.

**Detailed Analysis:**

1. **Bug Description**: The original code uses `i < end / PAGE_SIZE`
   which misses checking the last page when buffers end exactly on a
   page boundary. For example:
   - If `end = 8192` (exactly 2 pages), `end / PAGE_SIZE = 2`, so the
     loop checks pages 0 and 1
   - However, when a buffer ends at byte 8192, it actually spans into
     the third page (pages 0, 1, and 2)
   - The fix `i <= (end - 1) / PAGE_SIZE` correctly calculates the last
     page index

2. **Impact**: This bug causes the selftest to skip validation of the
   last page for buffers that end on page boundaries, potentially
   missing memory allocation issues that the selftest is designed to
   catch.

3. **Fix Quality**: The fix is minimal (single line change),
   mathematically correct, and focused solely on fixing the indexing bug
   without introducing new functionality.

4. **Backport Criteria Met**:
   - **Bug fix**: Yes - fixes incorrect test coverage
   - **Small and contained**: Yes - single line change in selftest code
   - **No architectural changes**: Yes - simple indexing fix
   - **Minimal regression risk**: Yes - only affects selftest code, not
     production binder functionality
   - **Clear benefit**: Yes - ensures proper testing coverage for memory
     allocation

5. **Additional Evidence**:
   - The commit is acked by Carlos Llamas, a binder maintainer
   - The fix is in selftest code, which has lower risk than production
     code changes
   - The mathematical correction is straightforward and verifiable

This is an ideal candidate for stable backporting as it fixes a testing
gap that could allow memory allocation bugs to go undetected in stable
kernels.

 drivers/android/binder_alloc_selftest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/android/binder_alloc_selftest.c b/drivers/android/binder_alloc_selftest.c
index c88735c54848..486af3ec3c02 100644
--- a/drivers/android/binder_alloc_selftest.c
+++ b/drivers/android/binder_alloc_selftest.c
@@ -142,12 +142,12 @@ static void binder_selftest_free_buf(struct binder_alloc *alloc,
 	for (i = 0; i < BUFFER_NUM; i++)
 		binder_alloc_free_buf(alloc, buffers[seq[i]]);
 
-	for (i = 0; i < end / PAGE_SIZE; i++) {
 		/**
 		 * Error message on a free page can be false positive
 		 * if binder shrinker ran during binder_alloc_free_buf
 		 * calls above.
 		 */
+	for (i = 0; i <= (end - 1) / PAGE_SIZE; i++) {
 		if (list_empty(page_to_lru(alloc->pages[i]))) {
 			pr_err_size_seq(sizes, seq);
 			pr_err("expect lru but is %s at page index %d\n",
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ