On Wed, Oct 6, 2021 at 3:48 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> On Wed, Oct 06, 2021 at 10:43:11PM +0000, Ramji Jiyani wrote:
> > Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.")
> > Signed-off-by: Ramji Jiyani <ramjiyani@xxxxxxxxxx>
> > Reviewed-by: Jeff Moyer <jmoyer@xxxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx # 4.19+
>
> The commit that this claims to be fixing is in linux-4.4.y, so either the fixes
> tag is wrong or the Cc stable tag is wrong. It's important to provide correct
> information here for backporting purposes, so please do so.
>
Stable tag is correct; Fixes tag in this case is tricky.
In 4.4 only way to poll binder file was via eventpoll and since binder wasn't
flagging the POLLFREE before thread exit there was an UAF. Which got fixed
by the commit currently Fixes tag is referring.
Later, aio got enhanced by adding a polling feature in 4.19 [1].
That introduced one more way to poll binder files; but it did not include
support for POLLFREE, so UAF exists.
Should the Fixes tag refer to Commit bfe4037e722e ("aio: implement
IOCB_CMD_POLL") [2] in this case?
[1] https://lore.kernel.org/lkml/20180110155853.32348-32-hch@xxxxxx/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/aio.c?h=v4.19.209&id=bfe4037e722ec672c9dafd5730d9132afeeb76e9
> - Eric
~ Ramji
