aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/android/binder.c21
-rw-r--r--drivers/android/binder_alloc.c16
-rw-r--r--drivers/android/binder_alloc.h3
3 files changed, 19 insertions, 21 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index cb30a524d16d..9f1000d2a40c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2974,7 +2974,6 @@ static void binder_transaction(struct binder_proc *proc,
2974 t->buffer = NULL; 2974 t->buffer = NULL;
2975 goto err_binder_alloc_buf_failed; 2975 goto err_binder_alloc_buf_failed;
2976 } 2976 }
2977 t->buffer->allow_user_free = 0;
2978 t->buffer->debug_id = t->debug_id; 2977 t->buffer->debug_id = t->debug_id;
2979 t->buffer->transaction = t; 2978 t->buffer->transaction = t;
2980 t->buffer->target_node = target_node; 2979 t->buffer->target_node = target_node;
@@ -3510,14 +3509,18 @@ static int binder_thread_write(struct binder_proc *proc,
3510 3509
3511 buffer = binder_alloc_prepare_to_free(&proc->alloc, 3510 buffer = binder_alloc_prepare_to_free(&proc->alloc,
3512 data_ptr); 3511 data_ptr);
3513 if (buffer == NULL) { 3512 if (IS_ERR_OR_NULL(buffer)) {
3514 binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", 3513 if (PTR_ERR(buffer) == -EPERM) {
3515 proc->pid, thread->pid, (u64)data_ptr); 3514 binder_user_error(
3516 break; 3515 "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
3517 } 3516 proc->pid, thread->pid,
3518 if (!buffer->allow_user_free) { 3517 (u64)data_ptr);
3519 binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n", 3518 } else {
3520 proc->pid, thread->pid, (u64)data_ptr); 3519 binder_user_error(
3520 "%d:%d BC_FREE_BUFFER u%016llx no match\n",
3521 proc->pid, thread->pid,
3522 (u64)data_ptr);
3523 }
3521 break; 3524 break;
3522 } 3525 }
3523 binder_debug(BINDER_DEBUG_FREE_BUFFER, 3526 binder_debug(BINDER_DEBUG_FREE_BUFFER,
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 64fd96eada31..030c98f35cca 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -151,16 +151,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked(
151 else { 151 else {
152 /* 152 /*
153 * Guard against user threads attempting to 153 * Guard against user threads attempting to
154 * free the buffer twice 154 * free the buffer when in use by kernel or
155 * after it's already been freed.
155 */ 156 */
156 if (buffer->free_in_progress) { 157 if (!buffer->allow_user_free)
157 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 158 return ERR_PTR(-EPERM);
158 "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", 159 buffer->allow_user_free = 0;
159 alloc->pid, current->pid,
160 (u64)user_ptr);
161 return NULL;
162 }
163 buffer->free_in_progress = 1;
164 return buffer; 160 return buffer;
165 } 161 }
166 } 162 }
@@ -500,7 +496,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked(
500 496
501 rb_erase(best_fit, &alloc->free_buffers); 497 rb_erase(best_fit, &alloc->free_buffers);
502 buffer->free = 0; 498 buffer->free = 0;
503 buffer->free_in_progress = 0; 499 buffer->allow_user_free = 0;
504 binder_insert_allocated_buffer_locked(alloc, buffer); 500 binder_insert_allocated_buffer_locked(alloc, buffer);
505 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 501 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
506 "%d: binder_alloc_buf size %zd got %pK\n", 502 "%d: binder_alloc_buf size %zd got %pK\n",
diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
index 9ef64e563856..fb3238c74c8a 100644
--- a/drivers/android/binder_alloc.h
+++ b/drivers/android/binder_alloc.h
@@ -50,8 +50,7 @@ struct binder_buffer {
50 unsigned free:1; 50 unsigned free:1;
51 unsigned allow_user_free:1; 51 unsigned allow_user_free:1;
52 unsigned async_transaction:1; 52 unsigned async_transaction:1;
53 unsigned free_in_progress:1; 53 unsigned debug_id:29;
54 unsigned debug_id:28;
55 54
56 struct binder_transaction *transaction; 55 struct binder_transaction *transaction;
57 56
generated by cgit v1.2.2 (git 2.25.0) at 2026-04-26 15:29:02 -0400