tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

rust_binder: check current before closing fds

This list gets populated once the transaction is delivered to the target
process, at which point it's not touched again except in BC_FREE_BUFFER
and process exit, so if the list has been populated then this code
should not run in the context of the wrong userspace process.

However, why tempt fate? The function itself can run in the context of
both the sender and receiver, and if someone can engineer a scenario
where it runs in the sender and this list is non-empty (or future Rust
Binder changes make such a scenario possible), then that'd be a problem
because we'd be closing random unrelated fds in the wrong process.

Note that on process exit, the == comparison may actually fail because
it's called from a kthread. The fd closing code is a no-op on kthreads,
so there is no actual behavior different though.

Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260324-close-fd-check-current-v3-4-b94274bedac7@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Alice Ryhl and committed by
Greg Kroah-Hartman fc74559e ed72cfff

+15 -12
+15 -12
drivers/android/binder/allocation.rs
··· 257 257 } 258 258 } 259 259 260 - for &fd in &info.file_list.close_on_free { 261 - let closer = match DeferredFdCloser::new(GFP_KERNEL) { 262 - Ok(closer) => closer, 263 - Err(kernel::alloc::AllocError) => { 264 - // Ignore allocation failures. 265 - break; 266 - } 267 - }; 260 + if self.process.task == kernel::current!().group_leader() { 261 + for &fd in &info.file_list.close_on_free { 262 + let closer = match DeferredFdCloser::new(GFP_KERNEL) { 263 + Ok(closer) => closer, 264 + Err(kernel::alloc::AllocError) => { 265 + // Ignore allocation failures. 266 + break; 267 + } 268 + }; 268 269 269 - // Here, we ignore errors. The operation can fail if the fd is not valid, or if the 270 - // method is called from a kthread. However, this is always called from a syscall, 271 - // so the latter case cannot happen, and we don't care about the first case. 272 - let _ = closer.close_fd(fd); 270 + // Here, we ignore errors. The operation can fail if the fd is not valid, or if 271 + // the method is called from a kthread. However, this is always called from a 272 + // syscall, so the latter case cannot happen, and we don't care about the first 273 + // case. 274 + let _ = closer.close_fd(fd); 275 + } 273 276 } 274 277 275 278 if info.clear_on_free {