On Tue, Jul 16, 2024 at 6:29 AM Carlos Llamas <cmllamas@xxxxxxxxxx> wrote:
> In commit 15d9da3f818c ("binder: use bitmap for faster descriptor
> lookup"), it was incorrectly assumed that references to the context
> manager node should always get descriptor zero assigned to them.
>
> However, if the context manager dies and a new process takes its place,
> then assigning descriptor zero to the new context manager might lead to
> collisions, as there could still be references to the older node. This
> issue was reported by syzbot with the following trace:
>
> kernel BUG at drivers/android/binder.c:1173!
> Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 1 PID: 447 Comm: binder-util Not tainted 6.10.0-rc6-00348-g31643d84b8c3 #10
> Hardware name: linux,dummy-virt (DT)
> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : binder_inc_ref_for_node+0x500/0x544
> lr : binder_inc_ref_for_node+0x1e4/0x544
> sp : ffff80008112b940
> x29: ffff80008112b940 x28: ffff0e0e40310780 x27: 0000000000000000
> x26: 0000000000000001 x25: ffff0e0e40310738 x24: ffff0e0e4089ba34
> x23: ffff0e0e40310b00 x22: ffff80008112bb50 x21: ffffaf7b8f246970
> x20: ffffaf7b8f773f08 x19: ffff0e0e4089b800 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: 000000002de4aa60
> x14: 0000000000000000 x13: 2de4acf000000000 x12: 0000000000000020
> x11: 0000000000000018 x10: 0000000000000020 x9 : ffffaf7b90601000
> x8 : ffff0e0e48739140 x7 : 0000000000000000 x6 : 000000000000003f
> x5 : ffff0e0e40310b28 x4 : 0000000000000000 x3 : ffff0e0e40310720
> x2 : ffff0e0e40310728 x1 : 0000000000000000 x0 : ffff0e0e40310710
> Call trace:
> binder_inc_ref_for_node+0x500/0x544
> binder_transaction+0xf68/0x2620
> binder_thread_write+0x5bc/0x139c
> binder_ioctl+0xef4/0x10c8
> [...]
>
> This patch adds back the previous behavior of assigning the next
> non-zero descriptor if references to previous context managers still
> exist. It amends both strategies, the newer dbitmap code and also the
> legacy slow_desc_lookup_olocked(), by allowing them to start looking
> for available descriptors at a given offset.
>
> Fixes: 15d9da3f818c ("binder: use bitmap for faster descriptor lookup")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-and-tested-by: syzbot+3dae065ca76952a67257@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://lore.kernel.org/all/000000000000c1c0a0061d1e6979@xxxxxxxxxx/
> Signed-off-by: Carlos Llamas <cmllamas@xxxxxxxxxx>
You are changing dbitmap so that BIT(0) is no longer guaranteed to be
set, so you should update this comment:
/*
* Note that find_last_bit() returns dmap->nbits when no bits
* are set. While this is technically not possible here since
* BIT(0) is always set, this check is left for extra safety.
*/
if (bit == dmap->nbits)
return NBITS_MIN;
Otherwise LGTM. With the above comment fixed:
Reviewed-by: Alice Ryhl <aliceryhl@xxxxxxxxxx>
Alice
