From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 6 Jun 2019 07:20:29 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.1.8~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f755bb6199bf0cd685d02769a3ade29156ff301f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	binder-fix-race-between-munmap-and-direct-reclaim.patch
	revert-binder-fix-handling-of-misaligned-binder-object.patch
---

diff --git a/queue-4.19/binder-fix-race-between-munmap-and-direct-reclaim.patch b/queue-4.19/binder-fix-race-between-munmap-and-direct-reclaim.patch
new file mode 100644
index 00000000000..720c869a1f4
--- /dev/null
+++ b/queue-4.19/binder-fix-race-between-munmap-and-direct-reclaim.patch
@@ -0,0 +1,70 @@
+From tkjos@android.com  Thu Jun  6 09:18:12 2019
+From: Todd Kjos <tkjos@android.com>
+Date: Wed,  5 Jun 2019 09:38:25 -0700
+Subject: binder: fix race between munmap() and direct reclaim
+To: tkjos@google.com, gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: ben.hutchings@codethink.co.uk, Alexander.Levin@microsoft.com, Joel Fernandes <joel@joelfernandes.org>
+Message-ID: <20190605163825.178537-2-tkjos@google.com>
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 5cec2d2e5839f9c0fec319c523a911e0a7fd299f upstream.
+
+An munmap() on a binder device causes binder_vma_close() to be called
+which clears the alloc->vma pointer.
+
+If direct reclaim causes binder_alloc_free_page() to be called, there
+is a race where alloc->vma is read into a local vma pointer and then
+used later after the mm->mmap_sem is acquired. This can result in
+calling zap_page_range() with an invalid vma which manifests as a
+use-after-free in zap_page_range().
+
+The fix is to check alloc->vma after acquiring the mmap_sem (which we
+were acquiring anyway) and skip zap_page_range() if it has changed
+to NULL.
+
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: stable <stable@vger.kernel.org> # 4.19
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |   18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(s
+ 
+ 	index = page - alloc->pages;
+ 	page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
++
++	mm = alloc->vma_vm_mm;
++	if (!mmget_not_zero(mm))
++		goto err_mmget;
++	if (!down_write_trylock(&mm->mmap_sem))
++		goto err_down_write_mmap_sem_failed;
+ 	vma = binder_alloc_get_vma(alloc);
+-	if (vma) {
+-		if (!mmget_not_zero(alloc->vma_vm_mm))
+-			goto err_mmget;
+-		mm = alloc->vma_vm_mm;
+-		if (!down_write_trylock(&mm->mmap_sem))
+-			goto err_down_write_mmap_sem_failed;
+-	}
+ 
+ 	list_lru_isolate(lru, item);
+ 	spin_unlock(lock);
+@@ -978,10 +977,9 @@ enum lru_status binder_alloc_free_page(s
+ 			       PAGE_SIZE);
+ 
+ 		trace_binder_unmap_user_end(alloc, index);
+-
+-		up_write(&mm->mmap_sem);
+-		mmput(mm);
+ 	}
++	up_write(&mm->mmap_sem);
++	mmput(mm);
+ 
+ 	trace_binder_unmap_kernel_start(alloc, index);
+ 
diff --git a/queue-4.19/revert-binder-fix-handling-of-misaligned-binder-object.patch b/queue-4.19/revert-binder-fix-handling-of-misaligned-binder-object.patch
new file mode 100644
index 00000000000..d1bb2e8001d
--- /dev/null
+++ b/queue-4.19/revert-binder-fix-handling-of-misaligned-binder-object.patch
@@ -0,0 +1,59 @@
+From tkjos@android.com  Thu Jun  6 09:17:35 2019
+From: Todd Kjos <tkjos@android.com>
+Date: Wed,  5 Jun 2019 09:38:24 -0700
+Subject: Revert "binder: fix handling of misaligned binder object"
+To: tkjos@google.com, gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: ben.hutchings@codethink.co.uk, Alexander.Levin@microsoft.com
+Message-ID: <20190605163825.178537-1-tkjos@google.com>
+
+From: Todd Kjos <tkjos@android.com>
+
+This reverts commit 6bf7d3c5c0c5dad650bfc4345ed553c18b69d59e.
+
+The commit message is for a different patch. Reverting and then adding
+the same patch back with the correct commit message.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Cc: stable <stable@vger.kernel.org> # 4.19
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |   18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -958,13 +958,14 @@ enum lru_status binder_alloc_free_page(s
+ 
+ 	index = page - alloc->pages;
+ 	page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
+-
+-	mm = alloc->vma_vm_mm;
+-	if (!mmget_not_zero(mm))
+-		goto err_mmget;
+-	if (!down_write_trylock(&mm->mmap_sem))
+-		goto err_down_write_mmap_sem_failed;
+ 	vma = binder_alloc_get_vma(alloc);
++	if (vma) {
++		if (!mmget_not_zero(alloc->vma_vm_mm))
++			goto err_mmget;
++		mm = alloc->vma_vm_mm;
++		if (!down_write_trylock(&mm->mmap_sem))
++			goto err_down_write_mmap_sem_failed;
++	}
+ 
+ 	list_lru_isolate(lru, item);
+ 	spin_unlock(lock);
+@@ -977,9 +978,10 @@ enum lru_status binder_alloc_free_page(s
+ 			       PAGE_SIZE);
+ 
+ 		trace_binder_unmap_user_end(alloc, index);
++
++		up_write(&mm->mmap_sem);
++		mmput(mm);
+ 	}
+-	up_write(&mm->mmap_sem);
+-	mmput(mm);
+ 
+ 	trace_binder_unmap_kernel_start(alloc, index);
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 3b209860994..e4895db9f99 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -62,3 +62,5 @@ drm-lease-make-sure-implicit-planes-are-leased.patch
 compiler-attributes-add-support-for-__copy-gcc-9.patch
 include-linux-module.h-copy-__init-__exit-attrs-to-init-cleanup_module.patch
 revert-x86-build-move-_etext-to-actual-end-of-.text.patch
+revert-binder-fix-handling-of-misaligned-binder-object.patch
+binder-fix-race-between-munmap-and-direct-reclaim.patch