diff options
| author | Martijn Coenen <maco@android.com> | 2018-02-16 03:47:15 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-02-16 05:16:38 -0500 |
| commit | 5eeb2ca02a2f6084fc57ae5c244a38baab07033a (patch) | |
| tree | 86ee4c41c581810a860fc963293da1bed7724798 /drivers/android | |
| parent | 8ca86f1639ec5890d400fff9211aca22d0a392eb (diff) | |
ANDROID: binder: synchronize_rcu() when using POLLFREE.
To prevent races with ep_remove_waitqueue() removing the
waitqueue at the same time.
Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binder.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a85f9033b57e..764b63a5aade 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -4382,6 +4382,15 @@ static int binder_thread_release(struct binder_proc *proc, | |||
| 4382 | 4382 | ||
| 4383 | binder_inner_proc_unlock(thread->proc); | 4383 | binder_inner_proc_unlock(thread->proc); |
| 4384 | 4384 | ||
| 4385 | /* | ||
| 4386 | * This is needed to avoid races between wake_up_poll() above and | ||
| 4387 | * and ep_remove_waitqueue() called for other reasons (eg the epoll file | ||
| 4388 | * descriptor being closed); ep_remove_waitqueue() holds an RCU read | ||
| 4389 | * lock, so we can be sure it's done after calling synchronize_rcu(). | ||
| 4390 | */ | ||
| 4391 | if (thread->looper & BINDER_LOOPER_STATE_POLL) | ||
| 4392 | synchronize_rcu(); | ||
| 4393 | |||
| 4385 | if (send_reply) | 4394 | if (send_reply) |
| 4386 | binder_send_failed_reply(send_reply, BR_DEAD_REPLY); | 4395 | binder_send_failed_reply(send_reply, BR_DEAD_REPLY); |
| 4387 | binder_release_work(proc, &thread->todo); | 4396 | binder_release_work(proc, &thread->todo); |