diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-12-03 01:56:15 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-12-03 01:56:15 -0500 |
| commit | 22fee7d3851314f8384c9d44233bb86a2862ed64 (patch) | |
| tree | f080b7f8b8f4e24e3e349a4c45ce9463718716f8 /drivers/android | |
| parent | b5570ca7c475bffbc5fc2e9af994dc6d249eb13e (diff) | |
| parent | 2595646791c319cadfdbf271563aac97d0843dc7 (diff) | |
Merge 4.20-rc5 into char-misc-next
We need the fixes in here as well.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binder.c | 21 | ||||
| -rw-r--r-- | drivers/android/binder_alloc.c | 16 | ||||
| -rw-r--r-- | drivers/android/binder_alloc.h | 3 |
3 files changed, 19 insertions, 21 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 54fdd99df9be..9f2059d24ae2 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -3004,7 +3004,6 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3004 | t->buffer = NULL; | 3004 | t->buffer = NULL; |
| 3005 | goto err_binder_alloc_buf_failed; | 3005 | goto err_binder_alloc_buf_failed; |
| 3006 | } | 3006 | } |
| 3007 | t->buffer->allow_user_free = 0; | ||
| 3008 | t->buffer->debug_id = t->debug_id; | 3007 | t->buffer->debug_id = t->debug_id; |
| 3009 | t->buffer->transaction = t; | 3008 | t->buffer->transaction = t; |
| 3010 | t->buffer->target_node = target_node; | 3009 | t->buffer->target_node = target_node; |
| @@ -3540,14 +3539,18 @@ static int binder_thread_write(struct binder_proc *proc, | |||
| 3540 | 3539 | ||
| 3541 | buffer = binder_alloc_prepare_to_free(&proc->alloc, | 3540 | buffer = binder_alloc_prepare_to_free(&proc->alloc, |
| 3542 | data_ptr); | 3541 | data_ptr); |
| 3543 | if (buffer == NULL) { | 3542 | if (IS_ERR_OR_NULL(buffer)) { |
| 3544 | binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", | 3543 | if (PTR_ERR(buffer) == -EPERM) { |
| 3545 | proc->pid, thread->pid, (u64)data_ptr); | 3544 | binder_user_error( |
| 3546 | break; | 3545 | "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n", |
| 3547 | } | 3546 | proc->pid, thread->pid, |
| 3548 | if (!buffer->allow_user_free) { | 3547 | (u64)data_ptr); |
| 3549 | binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n", | 3548 | } else { |
| 3550 | proc->pid, thread->pid, (u64)data_ptr); | 3549 | binder_user_error( |
| 3550 | "%d:%d BC_FREE_BUFFER u%016llx no match\n", | ||
| 3551 | proc->pid, thread->pid, | ||
| 3552 | (u64)data_ptr); | ||
| 3553 | } | ||
| 3551 | break; | 3554 | break; |
| 3552 | } | 3555 | } |
| 3553 | binder_debug(BINDER_DEBUG_FREE_BUFFER, | 3556 | binder_debug(BINDER_DEBUG_FREE_BUFFER, |
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 52eb11edf000..022cd80e80cc 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c | |||
| @@ -151,16 +151,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked( | |||
| 151 | else { | 151 | else { |
| 152 | /* | 152 | /* |
| 153 | * Guard against user threads attempting to | 153 | * Guard against user threads attempting to |
| 154 | * free the buffer twice | 154 | * free the buffer when in use by kernel or |
| 155 | * after it's already been freed. | ||
| 155 | */ | 156 | */ |
| 156 | if (buffer->free_in_progress) { | 157 | if (!buffer->allow_user_free) |
| 157 | binder_alloc_debug(BINDER_DEBUG_USER_ERROR, | 158 | return ERR_PTR(-EPERM); |
| 158 | "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", | 159 | buffer->allow_user_free = 0; |
| 159 | alloc->pid, current->pid, | ||
| 160 | (u64)user_ptr); | ||
| 161 | return NULL; | ||
| 162 | } | ||
| 163 | buffer->free_in_progress = 1; | ||
| 164 | return buffer; | 160 | return buffer; |
| 165 | } | 161 | } |
| 166 | } | 162 | } |
| @@ -500,7 +496,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked( | |||
| 500 | 496 | ||
| 501 | rb_erase(best_fit, &alloc->free_buffers); | 497 | rb_erase(best_fit, &alloc->free_buffers); |
| 502 | buffer->free = 0; | 498 | buffer->free = 0; |
| 503 | buffer->free_in_progress = 0; | 499 | buffer->allow_user_free = 0; |
| 504 | binder_insert_allocated_buffer_locked(alloc, buffer); | 500 | binder_insert_allocated_buffer_locked(alloc, buffer); |
| 505 | binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, | 501 | binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, |
| 506 | "%d: binder_alloc_buf size %zd got %pK\n", | 502 | "%d: binder_alloc_buf size %zd got %pK\n", |
diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h index 9ef64e563856..fb3238c74c8a 100644 --- a/drivers/android/binder_alloc.h +++ b/drivers/android/binder_alloc.h | |||
| @@ -50,8 +50,7 @@ struct binder_buffer { | |||
| 50 | unsigned free:1; | 50 | unsigned free:1; |
| 51 | unsigned allow_user_free:1; | 51 | unsigned allow_user_free:1; |
| 52 | unsigned async_transaction:1; | 52 | unsigned async_transaction:1; |
| 53 | unsigned free_in_progress:1; | 53 | unsigned debug_id:29; |
| 54 | unsigned debug_id:28; | ||
| 55 | 54 | ||
| 56 | struct binder_transaction *transaction; | 55 | struct binder_transaction *transaction; |
| 57 | 56 | ||