1 files changed, 14 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 748ac489ef7e..bc26b5511f0a 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1941,8 +1941,18 @@ static void binder_free_txn_fixups(struct binder_transaction *t)
 static void binder_free_transaction(struct binder_transaction *t)
 {
-        if (t->buffer)
+        struct binder_proc *target_proc = t->to_proc;
-                t->buffer->transaction = NULL;
+        if (target_proc) {
+                binder_inner_proc_lock(target_proc);
+                if (t->buffer)
+                        t->buffer->transaction = NULL;
+                binder_inner_proc_unlock(target_proc);
+        }
+        /*
+         * If the transaction has no target_proc, then
+         * t->buffer->transaction has already been cleared.
+         */
        binder_free_txn_fixups(t);
        kfree(t);
        binder_stats_deleted(BINDER_STAT_TRANSACTION);
@@ -3551,10 +3561,12 @@ err_invalid_target_handle:
 static void
 binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer)
 {
+        binder_inner_proc_lock(proc);
        if (buffer->transaction) {
                buffer->transaction->buffer = NULL;
                buffer->transaction = NULL;
        }
+        binder_inner_proc_unlock(proc);
        if (buffer->async_transaction && buffer->target_node) {
                struct binder_node *buf_node;
                struct binder_work *w;

diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 748ac489ef7e..bc26b5511f0a 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c
@@ -1941,8 +1941,18 @@ static void binder_free_txn_fixups(struct binder_transaction *t)
1941		1941
1942	static void binder_free_transaction(struct binder_transaction *t)	1942	static void binder_free_transaction(struct binder_transaction *t)
1943	{	1943	{
1944	if (t->buffer)	1944	struct binder_proc *target_proc = t->to_proc;
1945	t->buffer->transaction = NULL;	1945
		1946	if (target_proc) {
		1947	binder_inner_proc_lock(target_proc);
		1948	if (t->buffer)
		1949	t->buffer->transaction = NULL;
		1950	binder_inner_proc_unlock(target_proc);
		1951	}
		1952	/*
		1953	* If the transaction has no target_proc, then
		1954	* t->buffer->transaction has already been cleared.
		1955	*/
1946	binder_free_txn_fixups(t);	1956	binder_free_txn_fixups(t);
1947	kfree(t);	1957	kfree(t);
1948	binder_stats_deleted(BINDER_STAT_TRANSACTION);	1958	binder_stats_deleted(BINDER_STAT_TRANSACTION);
@@ -3551,10 +3561,12 @@ err_invalid_target_handle:
3551	static void	3561	static void
3552	binder_free_buf(struct binder_proc proc, struct binder_buffer buffer)	3562	binder_free_buf(struct binder_proc proc, struct binder_buffer buffer)
3553	{	3563	{
		3564	binder_inner_proc_lock(proc);
3554	if (buffer->transaction) {	3565	if (buffer->transaction) {
3555	buffer->transaction->buffer = NULL;	3566	buffer->transaction->buffer = NULL;
3556	buffer->transaction = NULL;	3567	buffer->transaction = NULL;
3557	}	3568	}
		3569	binder_inner_proc_unlock(proc);
3558	if (buffer->async_transaction && buffer->target_node) {	3570	if (buffer->async_transaction && buffer->target_node) {
3559	struct binder_node *buf_node;	3571	struct binder_node *buf_node;
3560	struct binder_work *w;	3572	struct binder_work *w;