On Fri, Jan 05, 2018 at 11:27:07AM +0100, Martijn Coenen wrote: > binder_poll() passes the thread->wait waitqueue that > can be slept on for work. When a thread that uses > epoll explicitly exits using BINDER_THREAD_EXIT, > the waitqueue is freed, but it is never removed > from the corresponding epoll data structure. When > the process subsequently exits, the epoll cleanup > code tries to access the waitlist, which results in > a use-after-free. > > Prevent this by using POLLFREE when the thread exits. > > Signed-off-by: Martijn Coenen <maco@xxxxxxxxxxx> > Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> > --- > drivers/android/binder.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) Should this be a 4.15-final thing, as well as backported to any range of older kernels? thanks, greg k-h _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
