Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6fc862b authored by Steven Moreland's avatar Steven Moreland Committed by Gerrit Code Review
Browse files

Merge "libbinder: fix buffer free race"

parents 796287c6 ce15b9fc

libs/binder/IPCThreadState.cpp

+7 −0
Original line number Diff line number Diff line
@@ -1318,6 +1318,13 @@ status_t IPCThreadState::executeCommand(int32_t cmd) 
                LOG_ONEWAY("Sending reply to %d!", mCallingPid);

                if (error < NO_ERROR) reply.setError(error);



                // b/238777741: clear buffer before we send the reply.

                // Otherwise, there is a race where the client may

                // receive the reply and send another transaction

                // here and the space used by this transaction won't

                // be freed for the client.

                buffer.setDataSize(0);



                constexpr uint32_t kForwardReplyFlags = TF_CLEAR_BUF;

                sendReply(reply, (tr.flags & kForwardReplyFlags));

            } else {

libs/binder/tests/binderLibTest.cpp

+1 −2
Original line number Diff line number Diff line
@@ -1161,8 +1161,7 @@ TEST_F(BinderLibTest, VectorSent) { 
// see ProcessState.cpp BINDER_VM_SIZE = 1MB.

// This value is not exposed, but some code in the framework relies on being able to use

// buffers near the cap size.

// TODO(b/238777741): why do larger values, like 300K fail sometimes

constexpr size_t kSizeBytesAlmostFull = 100'000;

constexpr size_t kSizeBytesAlmostFull = 950'000;

constexpr size_t kSizeBytesOverFull = 1'050'000;



TEST_F(BinderLibTest, GargantuanVectorSent) {