Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 40843cf5 authored Sep 13, 2022 by Steven Moreland Committed by Automerger Merge Worker Sep 13, 2022

Merge "libbinder: fix buffer free race" am: c6fc862b am: 245dff1f am:...

Merge "libbinder: fix buffer free race" am: c6fc862b am: 245dff1f am: e14ff5c8 am: e9f50efb am: 96e99447

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2210443

Change-Id: I119e1d10397146d434d7f97103dba1ce6c2d9529
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

parents aba4d3ec 96e99447

libs/binder/IPCThreadState.cpp

+7 −0

Original line number	Diff line number	Diff line
		@@ -1318,6 +1318,13 @@ status_t IPCThreadState::executeCommand(int32_t cmd)
		LOG_ONEWAY("Sending reply to %d!", mCallingPid);
		if (error < NO_ERROR) reply.setError(error);

		// b/238777741: clear buffer before we send the reply.
		// Otherwise, there is a race where the client may
		// receive the reply and send another transaction
		// here and the space used by this transaction won't
		// be freed for the client.
		buffer.setDataSize(0);

		constexpr uint32_t kForwardReplyFlags = TF_CLEAR_BUF;
		sendReply(reply, (tr.flags & kForwardReplyFlags));
		} else {

libs/binder/tests/binderLibTest.cpp

+1 −2

Original line number	Diff line number	Diff line
		@@ -1161,8 +1161,7 @@ TEST_F(BinderLibTest, VectorSent) {
		// see ProcessState.cpp BINDER_VM_SIZE = 1MB.
		// This value is not exposed, but some code in the framework relies on being able to use
		// buffers near the cap size.
		// TODO(b/238777741): why do larger values, like 300K fail sometimes
		constexpr size_t kSizeBytesAlmostFull = 100'000;
		constexpr size_t kSizeBytesAlmostFull = 950'000;
		constexpr size_t kSizeBytesOverFull = 1'050'000;

		TEST_F(BinderLibTest, GargantuanVectorSent) {