release/5.2.41/binderfs-use-refcount-for-binder-control-devices-too.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 750850d7a8ef65d7b088c6b8e8700d36b37bf6ab Mon Sep 17 00:00:00 2001
 From: Christian Brauner <christian.brauner@ubuntu.com>
 Date: Wed, 11 Mar 2020 11:53:09 +0100
 Subject: [PATCH] binderfs: use refcount for binder control devices too

 commit 211b64e4b5b6bd5fdc19cd525c2cc9a90e6b0ec9 upstream.

 Binderfs binder-control devices are cleaned up via binderfs_evict_inode
 too() which will use refcount_dec_and_test(). However, we missed to set
 the refcount for binderfs binder-control devices and so we underflowed
 when the binderfs instance got unmounted. Pretty obvious oversight and
 should have been part of the more general UAF fix. The good news is that
 having test cases (suprisingly) helps.

 Technically, we could detect that we're about to cleanup the
 binder-control dentry in binderfs_evict_inode() and then simply clean it
 up. But that makes the assumption that the binder driver itself will
 never make use of a binderfs binder-control device after the binderfs
 instance it belongs to has been unmounted and the superblock for it been
 destroyed. While it is unlikely to ever come to this let's be on the
 safe side. Performance-wise this also really doesn't matter since the
 binder-control device is only every really when creating the binderfs
 filesystem or creating additional binder devices. Both operations are
 pretty rare.

 Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
 Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
 Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
 Cc: stable@vger.kernel.org
 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 Acked-by: Todd Kjos <tkjos@google.com>
 Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
 index 86b8dc3acbd6..67982cabe068 100644
 --- a/drivers/android/binderfs.c
 +++ b/drivers/android/binderfs.c
 @@ -439,6 +439,7 @@ static int binderfs_binder_ctl_create(struct super_block *sb)
  	inode->i_uid = info->root_uid;
  	inode->i_gid = info->root_gid;

 +	refcount_set(&device->ref, 1);
  	device->binderfs_inode = inode;
  	device->miscdev.minor = minor;

 --
 2.7.4
	From 750850d7a8ef65d7b088c6b8e8700d36b37bf6ab Mon Sep 17 00:00:00 2001
	From: Christian Brauner <christian.brauner@ubuntu.com>
	Date: Wed, 11 Mar 2020 11:53:09 +0100
	Subject: [PATCH] binderfs: use refcount for binder control devices too

	commit 211b64e4b5b6bd5fdc19cd525c2cc9a90e6b0ec9 upstream.

	Binderfs binder-control devices are cleaned up via binderfs_evict_inode
	too() which will use refcount_dec_and_test(). However, we missed to set
	the refcount for binderfs binder-control devices and so we underflowed
	when the binderfs instance got unmounted. Pretty obvious oversight and
	should have been part of the more general UAF fix. The good news is that
	having test cases (suprisingly) helps.

	Technically, we could detect that we're about to cleanup the
	binder-control dentry in binderfs_evict_inode() and then simply clean it
	up. But that makes the assumption that the binder driver itself will
	never make use of a binderfs binder-control device after the binderfs
	instance it belongs to has been unmounted and the superblock for it been
	destroyed. While it is unlikely to ever come to this let's be on the
	safe side. Performance-wise this also really doesn't matter since the
	binder-control device is only every really when creating the binderfs
	filesystem or creating additional binder devices. Both operations are
	pretty rare.

	Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
	Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
	Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
	Cc: stable@vger.kernel.org
	Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
	Acked-by: Todd Kjos <tkjos@google.com>
	Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
	index 86b8dc3acbd6..67982cabe068 100644
	--- a/drivers/android/binderfs.c
	+++ b/drivers/android/binderfs.c
	@@ -439,6 +439,7 @@ static int binderfs_binder_ctl_create(struct super_block *sb)
	inode->i_uid = info->root_uid;
	inode->i_gid = info->root_gid;

	+ refcount_set(&device->ref, 1);
	device->binderfs_inode = inode;
	device->miscdev.minor = minor;

	--
	2.7.4