binder: protect against two threads freeing buffer

Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Todd Kjos <tkjos@android.com> 2017-06-29 15:01:51 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-07-17 08:47:29 -0400
commit: 53d311cfa19ad35beba74d706effee02c86d198f (patch)
tree: 669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c
parent: e4cffcf4bf8b540e150c311e70559d735cc95358 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 3bbfb2455b70..a1912a22c89c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2024,8 +2024,8 @@ static int binder_thread_write(struct binder_proc *proc,
                                return -EFAULT;
                        ptr += sizeof(binder_uintptr_t);
-                        buffer = binder_alloc_buffer_lookup(&proc->alloc,
+                        buffer = binder_alloc_prepare_to_free(&proc->alloc,
-                                                            data_ptr);
+                                                              data_ptr);
                        if (buffer == NULL) {
                                binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
                                        proc->pid, thread->pid, (u64)data_ptr);
author	Todd Kjos <tkjos@android.com>	2017-06-29 15:01:51 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-07-17 08:47:29 -0400
commit	53d311cfa19ad35beba74d706effee02c86d198f (patch)
tree	669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c
parent	e4cffcf4bf8b540e150c311e70559d735cc95358 (diff)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3bbfb2455b70..a1912a22c89c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c
@@ -2024,8 +2024,8 @@ static int binder_thread_write(struct binder_proc *proc,
2024	return -EFAULT;	2024	return -EFAULT;
2025	ptr += sizeof(binder_uintptr_t);	2025	ptr += sizeof(binder_uintptr_t);
2026		2026
2027	buffer = binder_alloc_buffer_lookup(&proc->alloc,	2027	buffer = binder_alloc_prepare_to_free(&proc->alloc,
2028	data_ptr);	2028	data_ptr);
2029	if (buffer == NULL) {	2029	if (buffer == NULL) {
2030	binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",	2030	binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
2031	proc->pid, thread->pid, (u64)data_ptr);	2031	proc->pid, thread->pid, (u64)data_ptr);