Commit f5cb779b authored Jan 05, 2018 by Martijn Coenen Committed by Greg Kroah-Hartman Jan 09, 2018

ANDROID: binder: remove waitqueue when thread exits.



binder_poll() passes the thread->wait waitqueue that
can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT,
the waitqueue is freed, but it is never removed
from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup
code tries to access the waitlist, which results in
a use-after-free.

Prevent this by using POLLFREE when the thread exits.

Signed-off-by: Martijn Coenen <maco@android.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 16ae30ea

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 20daceef
· Nov 05, 2025

mentioned in commit 20daceef

mentioned in commit 20daceef8af6d2db89c6d8e47375514642cd6ce7

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 0bf138c0
· Nov 05, 2025

mentioned in commit 0bf138c0

mentioned in commit 0bf138c0d9b2576dadfc257b02a892485ee35243

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 026e4069
· Nov 05, 2025

mentioned in commit 026e4069

mentioned in commit 026e4069937f48c245441e7e9bfb1462b8e68130

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 3dfde6d3
· Nov 05, 2025

mentioned in commit 3dfde6d3

mentioned in commit 3dfde6d357b44e8b8185e797a1ef9cd371f6c735

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 631f238a
· Nov 05, 2025

mentioned in commit 631f238a

mentioned in commit 631f238a0d7bf51e592fe79069b2b06d0f5d4b66

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 82bd53b8
· Nov 05, 2025

mentioned in commit 82bd53b8

mentioned in commit 82bd53b8713775eeacd21c12fc5ca1964337e8b6

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit d5f4847a
· Nov 05, 2025

mentioned in commit d5f4847a

mentioned in commit d5f4847a84f8b9236487d08ad40ccd20c4a8b34e

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit f3c4f4ed
· Nov 05, 2025

mentioned in commit f3c4f4ed

mentioned in commit f3c4f4edba04e051887fe64b135df6d6a423f5fb

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit fca84496
· Nov 05, 2025

mentioned in commit fca84496

mentioned in commit fca84496c0438653e71afb00dcf579f713c8c584

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 175d993a
· Nov 05, 2025

mentioned in commit 175d993a

mentioned in commit 175d993a7267034b91e654c491400a6cc9efc427

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit e5355489
· Nov 05, 2025

mentioned in commit e5355489

mentioned in commit e53554894aed09eff2e9cc18c5c6a9eecb039c69

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit de80bc3f
· Nov 05, 2025

mentioned in commit de80bc3f

mentioned in commit de80bc3f3239658810a2d8bb7d6d23ed2aad21dc

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 556853b3
· Nov 05, 2025

mentioned in commit 556853b3

mentioned in commit 556853b32b4656f1072ed285ee06b9519bb5ed8b

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 78d32a54
· Nov 05, 2025

mentioned in commit 78d32a54

mentioned in commit 78d32a54441e423bdc87a424c2472943b27f2234

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 6dd3c297
· Nov 05, 2025

mentioned in commit 6dd3c297

mentioned in commit 6dd3c297197cfc8d6cb73be2a2eb946d102e40d8

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 413fba8e
· Nov 05, 2025

mentioned in commit 413fba8e

mentioned in commit 413fba8eca7507a0bc2e73e6538920bcf4beb8b1

Toggle commit list

Please to comment