Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d89bde86 authored by Steven Moreland's avatar Steven Moreland Committed by Android (Google) Code Review
Browse files

Merge changes Id84fc396,I63b15567 into main 

* changes:
  RPC Binder: terminate session for bad dec strong
  RPC Binder: stronger type checks for AsyncTodo
parents 37aa10a5 e0cb1808

libs/binder/RpcState.cpp

+5 −3
Original line number Diff line number Diff line
@@ -953,7 +953,8 @@ processTransactInternalTailCall: 
                // we need to process some other asynchronous transaction

                // first

                it->second.asyncTodo.push(BinderNode::AsyncTodo{

                        .ref = target,

                        // checked above

                        .ref = sp<BBinder>::fromExisting(target->localBinder()),

                        .data = std::move(transactionData),

                        .ancillaryFds = std::move(ancillaryFds),

                        .asyncNumber = transaction->asyncNumber,
@@ -1205,8 +1206,9 @@ status_t RpcState::processDecStrong(const sp<RpcSession::RpcConnection>& connect 
    RpcMutexUniqueLock _l(mNodeMutex);

    auto it = mNodeForAddress.find(addr);

    if (it == mNodeForAddress.end()) {

        ALOGE("Unknown binder address %" PRIu64 " for dec strong.", addr);

        return OK;

        ALOGE("Unknown binder address %" PRIu64 " for dec strong. Terminating!", addr);

        (void)session->shutdownAndWait(false);

        return BAD_VALUE;

    }



    sp<IBinder> target = it->second.binder.promote();

libs/binder/RpcState.h

+2 −2
Original line number Diff line number Diff line
@@ -251,9 +251,9 @@ private: 
        // CASE A - local binder we are serving

        //



        // async transaction queue, _only_ for local binder

        struct AsyncTodo {

            sp<IBinder> ref;

            // any transaction, including async, can only be on local binders

            sp<BBinder> ref;

            CommandData data;

            std::vector<std::variant<binder::unique_fd, binder::borrowed_fd>> ancillaryFds;

            uint64_t asyncNumber = 0;