iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

binder: fix atomic sleep when get extended error

Browse Source 
binder_inner_proc_lock(thread->proc) is a spin lock, copy_to_user can't
be called with in this lock.

Copy it as a local variable to fix it.

Fixes: bd32889e841c ("binder: add BINDER_GET_EXTENDED_ERROR ioctl")
Reported-by: syzbot+46fff6434a7f968ecb39@syzkaller.appspotmail.com
Reviewed-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Schspa Shi <schspa@gmail.com>
Link: https://lore.kernel.org/r/20220518011754.49348-1-schspa@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Schspa Shi 2022-05-18 09:17:54 +08:00 committed by Greg Kroah-Hartman
parent dafa5e9ab8
commit aed86f8add
1 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
drivers/android/binder.c
View File

@ -5163,19 +5163,16 @@ static int binder_ioctl_get_freezer_info(
static int binder_ioctl_get_extended_error(struct binder_thread *thread,
void __user *ubuf)
{
struct binder_extended_error *ee = &thread->ee;
struct binder_extended_error ee;
binder_inner_proc_lock(thread->proc);
if (copy_to_user(ubuf, ee, sizeof(*ee))) {
binder_inner_proc_unlock(thread->proc);
return -EFAULT;
}
ee->id = 0;
ee->command = BR_OK;
ee->param = 0;
ee = thread->ee;
binder_set_extended_error(&thread->ee, 0, BR_OK, 0);
binder_inner_proc_unlock(thread->proc);
if (copy_to_user(ubuf, &ee, sizeof(ee)))
return -EFAULT;
return 0;
}