diff options
author | Todd Kjos <tkjos@google.com> | 2017-04-21 14:32:11 -0700 |
---|---|---|
committer | Todd Kjos <tkjos@google.com> | 2017-07-13 15:13:19 +0000 |
commit | db51658467e03c756b7de23eb03ebeb63e607d4c (patch) | |
tree | 796f95460e9013a17bb248ace0b50561d816e6c1 /drivers/android/binder_alloc.h | |
parent | ce9b7747d6a1cb1b4b772b4e2c524ba1a56b551b (diff) |
FROMLIST: binder: protect against two threads freeing buffer
(from https://patchwork.kernel.org/patch/9817815/)
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.
Bug: 36650912
Change-Id: I43e078cbf31c0789aaff5ceaf8f1a94c75f79d45
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
Diffstat (limited to 'drivers/android/binder_alloc.h')
-rw-r--r-- | drivers/android/binder_alloc.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h index 721c511431f9..088e4ffc6230 100644 --- a/drivers/android/binder_alloc.h +++ b/drivers/android/binder_alloc.h @@ -48,7 +48,8 @@ struct binder_buffer { unsigned free:1; unsigned allow_user_free:1; unsigned async_transaction:1; - unsigned debug_id:29; + unsigned free_in_progress:1; + unsigned debug_id:28; struct binder_transaction *transaction; @@ -109,8 +110,8 @@ extern struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, extern void binder_alloc_init(struct binder_alloc *alloc); extern void binder_alloc_vma_close(struct binder_alloc *alloc); extern struct binder_buffer * -binder_alloc_buffer_lookup(struct binder_alloc *alloc, - uintptr_t user_ptr); +binder_alloc_prepare_to_free(struct binder_alloc *alloc, + uintptr_t user_ptr); extern void binder_alloc_free_buf(struct binder_alloc *alloc, struct binder_buffer *buffer); extern int binder_alloc_mmap_handler(struct binder_alloc *alloc, |