binder: protect against two threads freeing buffer

Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use. Signed-off-by: Todd Kjos <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
author: Todd Kjos <[email protected]> 2017-06-29 19:01:51 +0000
committer: Greg Kroah-Hartman <[email protected]> 2017-07-17 12:47:29 +0000
commit: 53d311cfa19ad35beba74d706effee02c86d198f (patch)
tree: 669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c
parent: binder: remove dead code in binder_get_ref_for_node (diff)
download: kernel-53d311cfa19ad35beba74d706effee02c86d198f.tar.gz
kernel-53d311cfa19ad35beba74d706effee02c86d198f.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 3bbfb2455b70..a1912a22c89c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2024,8 +2024,8 @@ static int binder_thread_write(struct binder_proc *proc,
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
 
-			buffer = binder_alloc_buffer_lookup(&proc->alloc,
-							    data_ptr);
+			buffer = binder_alloc_prepare_to_free(&proc->alloc,
+							      data_ptr);
 			if (buffer == NULL) {
 				binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
 					proc->pid, thread->pid, (u64)data_ptr);
author	Todd Kjos <[email protected]>	2017-06-29 19:01:51 +0000
committer	Greg Kroah-Hartman <[email protected]>	2017-07-17 12:47:29 +0000
commit	53d311cfa19ad35beba74d706effee02c86d198f (patch)
tree	669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c
parent	binder: remove dead code in binder_get_ref_for_node (diff)
download	kernel-53d311cfa19ad35beba74d706effee02c86d198f.tar.gz kernel-53d311cfa19ad35beba74d706effee02c86d198f.zip