tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: 1e2a199f6ccdc15cf111d68d212e2fd4ce65682e commit: f3277cbfba763cd2826396521b9296de67cf1bbc binder: fix UAF when releasing todo list date: 3 months ago config: nds32-randconfig-m031-20210120 (attached as .config) compiler: nds32le-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> New smatch warnings: drivers/android/binder.c:4585 (null)() warn: inconsistent indenting drivers/android/binder.c:4586 (null)() warn: ignoring unreachable code. Old smatch warnings: drivers/android/binder.c:2342 binder_transaction_buffer_release() warn: if(); drivers/android/binder.c:2401 binder_transaction_buffer_release() warn: inconsistent indenting drivers/android/binder.c:2402 binder_transaction_buffer_release() warn: ignoring unreachable code. drivers/android/binder.c:4593 (null)() warn: inconsistent indenting drivers/android/binder.c:4599 (null)() warn: inconsistent indenting drivers/android/binder.c:4610 (null)() warn: inconsistent indenting drivers/android/binder.c:4616 (null)() warn: inconsistent indenting drivers/android/binder.c:5170 binder_mmap() warn: if(); vim +4585 drivers/android/binder.c 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4562 72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4563 static void binder_release_work(struct binder_proc *proc, 72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4564 struct list_head *list) 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4565 { 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4566 struct binder_work *w; f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4567 enum binder_work_type wtype; 10f62861b4a2f22c drivers/staging/android/binder.c Seunghun Lee 2014-05-01 4568 72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4569 while (1) { f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4570 binder_inner_proc_lock(proc); f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4571 w = binder_dequeue_work_head_ilocked(list); f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4572 wtype = w ? w->type : 0; f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4573 binder_inner_proc_unlock(proc); 72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4574 if (!w) 72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4575 return; 72196393a5e3d28c drivers/android/binder.c Todd Kjos 2017-06-29 4576 f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4577 switch (wtype) { 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4578 case BINDER_WORK_TRANSACTION: { 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4579 struct binder_transaction *t; 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4580 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4581 t = container_of(w, struct binder_transaction, work); fb2c445277e7b0b4 drivers/android/binder.c Martijn Coenen 2017-11-13 4582 fb2c445277e7b0b4 drivers/android/binder.c Martijn Coenen 2017-11-13 4583 binder_cleanup_transaction(t, "process died.", fb2c445277e7b0b4 drivers/android/binder.c Martijn Coenen 2017-11-13 4584 BR_DEAD_REPLY); 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 @4585 } break; 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 @4586 case BINDER_WORK_RETURN_ERROR: { 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4587 struct binder_error *e = container_of( 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4588 w, struct binder_error, work); 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4589 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4590 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4591 "undelivered TRANSACTION_ERROR: %u\n", 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4592 e->cmd); 26549d17741035b6 drivers/android/binder.c Todd Kjos 2017-06-29 4593 } break; 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4594 case BINDER_WORK_TRANSACTION_COMPLETE: { 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4595 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 56b468fc709b2b96 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4596 "undelivered TRANSACTION_COMPLETE\n"); 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4597 kfree(w); 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4598 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4599 } break; 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4600 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4601 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4602 struct binder_ref_death *death; 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4603 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4604 death = container_of(w, struct binder_ref_death, work); 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4605 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, da49889deb34d351 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4606 "undelivered death notification, %016llx\n", da49889deb34d351 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4607 (u64)death->cookie); 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4608 kfree(death); 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4609 binder_stats_deleted(BINDER_STAT_DEATH); 675d66b0ed5fd170 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4610 } break; f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4611 case BINDER_WORK_NODE: f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4612 break; 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4613 default: 56b468fc709b2b96 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4614 pr_err("unexpected work type, %d, not freed\n", f3277cbfba763cd2 drivers/android/binder.c Todd Kjos 2020-10-09 4615 wtype); 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4616 break; 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4617 } 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4618 } 355b0502f6efea0f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4619 :::::: The code at line 4585 was first introduced by commit :::::: 355b0502f6efea0ff9492753888772c96972d2a3 Revert "Staging: android: delete android drivers" :::::: TO: Greg Kroah-Hartman <[email protected]> :::::: CC: Greg Kroah-Hartman <[email protected]> --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/[email protected]
.config.gz
Description: application/gzip
