diff options
| author | Christian Brauner <christian@brauner.io> | 2019-01-23 06:41:15 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-01-30 09:23:48 -0500 |
| commit | da8ddba566ff0a883237dbc8c5dadef1ca769e19 (patch) | |
| tree | 57e78c53fb1f3f539a5cfa6fd5dd896f10e051c5 /drivers/android | |
| parent | 793c8232937610ae00bc174b87d7fc324346eaea (diff) | |
binderfs: respect limit on binder control creation
We currently adhere to the reserved devices limit when creating new
binderfs devices in binderfs instances not located in the inital ipc
namespace. But it is still possible to rob the host instances of their 4
reserved devices by creating the maximum allowed number of devices in a
single binderfs instance located in a non-initial ipc namespace and then
mounting 4 separate binderfs instances in non-initial ipc namespaces. That
happens because the limit is currently not respected for the creation of
the initial binder-control device node. Block this nonsense by performing
the same check in binderfs_binder_ctl_create() that we perform in
binderfs_binder_device_create().
Fixes: 36bdf3cae09d ("binderfs: reserve devices for initial mount")
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binderfs.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c index 6a2185eb66c5..7a550104a722 100644 --- a/drivers/android/binderfs.c +++ b/drivers/android/binderfs.c | |||
| @@ -395,6 +395,11 @@ static int binderfs_binder_ctl_create(struct super_block *sb) | |||
| 395 | struct inode *inode = NULL; | 395 | struct inode *inode = NULL; |
| 396 | struct dentry *root = sb->s_root; | 396 | struct dentry *root = sb->s_root; |
| 397 | struct binderfs_info *info = sb->s_fs_info; | 397 | struct binderfs_info *info = sb->s_fs_info; |
| 398 | #if defined(CONFIG_IPC_NS) | ||
| 399 | bool use_reserve = (info->ipc_ns == &init_ipc_ns); | ||
| 400 | #else | ||
| 401 | bool use_reserve = true; | ||
| 402 | #endif | ||
| 398 | 403 | ||
| 399 | device = kzalloc(sizeof(*device), GFP_KERNEL); | 404 | device = kzalloc(sizeof(*device), GFP_KERNEL); |
| 400 | if (!device) | 405 | if (!device) |
| @@ -413,7 +418,10 @@ static int binderfs_binder_ctl_create(struct super_block *sb) | |||
| 413 | 418 | ||
| 414 | /* Reserve a new minor number for the new device. */ | 419 | /* Reserve a new minor number for the new device. */ |
| 415 | mutex_lock(&binderfs_minors_mutex); | 420 | mutex_lock(&binderfs_minors_mutex); |
| 416 | minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL); | 421 | minor = ida_alloc_max(&binderfs_minors, |
| 422 | use_reserve ? BINDERFS_MAX_MINOR : | ||
| 423 | BINDERFS_MAX_MINOR_CAPPED, | ||
| 424 | GFP_KERNEL); | ||
| 417 | mutex_unlock(&binderfs_minors_mutex); | 425 | mutex_unlock(&binderfs_minors_mutex); |
| 418 | if (minor < 0) { | 426 | if (minor < 0) { |
| 419 | ret = minor; | 427 | ret = minor; |