diff options
| author |   Todd Kjos <tkjos@android.com> | 2017-06-29 12:01:51 -0700 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-07-17 14:47:29 +0200 |
| commit | 53d311cfa19ad35beba74d706effee02c86d198f (patch) | |
| tree | 669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c | |
| parent | binder: remove dead code in binder_get_ref_for_node (diff) | |
| download | linux-dev-53d311cfa19ad35beba74d706effee02c86d198f.tar.xz linux-dev-53d311cfa19ad35beba74d706effee02c86d198f.zip | |
binder: protect against two threads freeing buffer
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android/binder.c')
| -rw-r--r-- | drivers/android/binder.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3bbfb2455b70..a1912a22c89c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2024,8 +2024,8 @@ static int binder_thread_write(struct binder_proc *proc, return -EFAULT; ptr += sizeof(binder_uintptr_t); - buffer = binder_alloc_buffer_lookup(&proc->alloc, - data_ptr); + buffer = binder_alloc_prepare_to_free(&proc->alloc, + data_ptr); if (buffer == NULL) { binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", proc->pid, thread->pid, (u64)data_ptr); |