When a process fork a child process, we should not allow the child process use the binder which opened by parent process.
But if the binder-object creater is a thread of one process who exit, the other thread can also use this binder-object normally. We can distinguish this by the member proc->tsk->mm. If the thread exit the tsk->mm will be NULL.
proc->tsk->mm != current->tsk->mm && proc->tsk->mm
So only allow the shared mm_struct to use the same binder-object and check the existence of mm_struct.
Signed-off-by: Chen Feng puck.chen@hisilicon.com Signed-off-by: Wei Dong weidong2@hisilicon.com Signed-off-by: Junmin Zhao zhaojunmin@huawei.com Reviewed-by: Zhuangluan Su suzhuangluan@hisilicon.com --- drivers/android/binder.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a39e85f..3a74c5d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2736,6 +2736,8 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
/*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ + if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) + return -EINVAL;
trace_binder_ioctl(cmd, arg);
Hi Chen,
[auto build test ERROR on v4.4-rc8] [also build test ERROR on next-20160118] [if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
url: https://github.com/0day-ci/linux/commits/Chen-Feng/android-binder-Sanity-che... config: x86_64-randconfig-x009-201603 (attached as .config) reproduce: # save the attached .config to linux build tree make ARCH=x86_64
All error/warnings (new ones prefixed by >>):
In file included from include/asm-generic/bug.h:4:0, from arch/x86/include/asm/bug.h:35, from include/linux/bug.h:4, from include/linux/mmdebug.h:4, from include/linux/mm.h:8, from include/asm-generic/cacheflush.h:5, from arch/x86/include/asm/cacheflush.h:5, from drivers/android/binder.c:20: drivers/android/binder.c: In function 'binder_ioctl':
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:147:28: note: in definition of macro '__trace_if' if (__builtin_constant_p((cond)) ? !!(cond) : \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:6: note: in expansion of macro 'unlikely'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:147:28: note: in definition of macro '__trace_if' if (__builtin_constant_p((cond)) ? !!(cond) : \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:6: note: in expansion of macro 'unlikely'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:147:28: note: in definition of macro '__trace_if' if (__builtin_constant_p((cond)) ? !!(cond) : \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:123:14: note: in expansion of macro 'likely_notrace' ______r = likely_notrace(x); \ ^ include/linux/compiler.h:137:58: note: in expansion of macro '__branch_check__' # define unlikely(x) (__builtin_constant_p(x) ? !!(x) : __branch_check__(x, 0)) ^
drivers/android/binder.c:2739:6: note: in expansion of macro 'unlikely'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:147:40: note: in definition of macro '__trace_if' if (__builtin_constant_p((cond)) ? !!(cond) : \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:6: note: in expansion of macro 'unlikely'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:147:40: note: in definition of macro '__trace_if' if (__builtin_constant_p((cond)) ? !!(cond) : \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:6: note: in expansion of macro 'unlikely'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:147:40: note: in definition of macro '__trace_if' if (__builtin_constant_p((cond)) ? !!(cond) : \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:123:14: note: in expansion of macro 'likely_notrace' ______r = likely_notrace(x); \ ^ include/linux/compiler.h:137:58: note: in expansion of macro '__branch_check__' # define unlikely(x) (__builtin_constant_p(x) ? !!(x) : __branch_check__(x, 0)) ^
drivers/android/binder.c:2739:6: note: in expansion of macro 'unlikely'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
drivers/android/binder.c:2739:39: error: 'struct task_struct' has no member named 'tsk'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^ include/linux/compiler.h:158:16: note: in definition of macro '__trace_if' ______r = !!(cond); \ ^
drivers/android/binder.c:2739:2: note: in expansion of macro 'if'
if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) ^
vim +2739 drivers/android/binder.c
2733 struct binder_thread *thread; 2734 unsigned int size = _IOC_SIZE(cmd); 2735 void __user *ubuf = (void __user *)arg; 2736 2737 /*pr_info("binder_ioctl: %d:%d %x %lx\n", 2738 proc->pid, current->pid, cmd, arg);*/
2739 if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm))
2740 return -EINVAL; 2741 2742 trace_binder_ioctl(cmd, arg);
--- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
-
Chen Feng -
kbuild test robot