diff options
Diffstat (limited to 'drivers/android/binder_alloc.c')
| -rw-r--r-- | drivers/android/binder_alloc.c | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 64fd96eada31..030c98f35cca 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c | |||
| @@ -151,16 +151,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked( | |||
| 151 | else { | 151 | else { |
| 152 | /* | 152 | /* |
| 153 | * Guard against user threads attempting to | 153 | * Guard against user threads attempting to |
| 154 | * free the buffer twice | 154 | * free the buffer when in use by kernel or |
| 155 | * after it's already been freed. | ||
| 155 | */ | 156 | */ |
| 156 | if (buffer->free_in_progress) { | 157 | if (!buffer->allow_user_free) |
| 157 | binder_alloc_debug(BINDER_DEBUG_USER_ERROR, | 158 | return ERR_PTR(-EPERM); |
| 158 | "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", | 159 | buffer->allow_user_free = 0; |
| 159 | alloc->pid, current->pid, | ||
| 160 | (u64)user_ptr); | ||
| 161 | return NULL; | ||
| 162 | } | ||
| 163 | buffer->free_in_progress = 1; | ||
| 164 | return buffer; | 160 | return buffer; |
| 165 | } | 161 | } |
| 166 | } | 162 | } |
| @@ -500,7 +496,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked( | |||
| 500 | 496 | ||
| 501 | rb_erase(best_fit, &alloc->free_buffers); | 497 | rb_erase(best_fit, &alloc->free_buffers); |
| 502 | buffer->free = 0; | 498 | buffer->free = 0; |
| 503 | buffer->free_in_progress = 0; | 499 | buffer->allow_user_free = 0; |
| 504 | binder_insert_allocated_buffer_locked(alloc, buffer); | 500 | binder_insert_allocated_buffer_locked(alloc, buffer); |
| 505 | binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, | 501 | binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, |
| 506 | "%d: binder_alloc_buf size %zd got %pK\n", | 502 | "%d: binder_alloc_buf size %zd got %pK\n", |