Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit f2120696 authored by Lukas0610's avatar Lukas0610 Committed by alexax66
Browse files

drivers: merged Android Binder from 4.9 

binder: moved out of staging/

Change-Id: I8e1c4b31a6c7710956e9125a5e8fda1af8ad5c72

FROMLIST: binder: fix memory corruption in binder_transaction binder

(from https://patchwork.kernel.org/patch/9939405/

)

commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.

So, dequeue it before freeing.

Bug: 65333488
Change-Id: Id063a4db18deaa634f4d44aa6ebca47bea32537a
Signed-off-by: default avatarXu YiPing <xuyiping@hisilicon.com>
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>

FROMLIST: binder: fix an ret value override

(from https://patchwork.kernel.org/patch/9939409/

)

commit 372e3147df70 ("binder: guarantee txn complete / errors delivered
in-order") incorrectly defined a local ret value.  This ret value will
be invalid when out of the if block

Change-Id: If7bd963ac7e67d135aa949133263aac27bf15d1a
Signed-off-by: default avatarXu YiPing <xuyiping@hislicon.com>
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>

FROMLIST: binder: fix use-after-free in binder_transaction()

(from https://patchwork.kernel.org/patch/9978801/

)

User-space normally keeps the node alive when creating a transaction
since it has a reference to the target. The local strong ref keeps it
alive if the sending process dies before the target process processes
the transaction. If the source process is malicious or has a reference
counting bug, this can fail.

In this case, when we attempt to decrement the node in the failure
path, the node has already been freed.

This is fixed by taking a tmpref on the node while constructing
the transaction. To avoid re-acquiring the node lock and inner
proc lock to increment the proc's tmpref, a helper is used that
does the ref increments on both the node and proc.

Bug: 66899329
Change-Id: Iad40e1e0bccee88234900494fb52a510a37fe8d7
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>

FROMLIST: binder: fix proc->files use-after-free

(from https://patchwork.kernel.org/patch/10058587/

)

proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".

The fix is to always use get_files_struct() to obtain struct_files
so that the refcount on the files_struct is used to prevent
a premature free. proc->files is removed since we get it every
time.

Bug: 69164715
Change-Id: I6431027d3d569e76913935c21885201505627982
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
parent 4b3037a1
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment