Staging: binder: Prevent the wrong thread from adding a transaction to the stack.

If a thread is part of a transaction stack, it is only allowed to make another call if it was the target of the top transaction on the stack. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Arve Hjønnevåg <arve@android.com> 2009-04-06 18:12:59 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2009-04-17 14:06:27 -0400
commit: 0cf24a7dc9123ddf63c413b6d4b38017b19db713 (patch)
tree: 7a11d6b10d3f7d32ad2b08fa617313f897fbb10c
parent: 7af7467efa64affc6505375ceac97d68cfb58e94 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index 91a96292e6bb..b0127a3290d0 100644
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -1343,6 +1343,17 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread,
                if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
                        struct binder_transaction *tmp;
                        tmp = thread->transaction_stack;
+                        if (tmp->to_thread != thread) {
+                                binder_user_error("binder: %d:%d got new "
+                                        "transaction with bad transaction stack"
+                                        ", transaction %d has target %d:%d\n",
+                                        proc->pid, thread->pid, tmp->debug_id,
+                                        tmp->to_proc ? tmp->to_proc->pid : 0,
+                                        tmp->to_thread ?
+                                        tmp->to_thread->pid : 0);
+                                return_error = BR_FAILED_REPLY;
+                                goto err_bad_call_stack;
+                        }
                        while (tmp) {
                                if (tmp->from && tmp->from->proc == target_proc)
                                        target_thread = tmp->from;
author	Arve Hjønnevåg <arve@android.com>	2009-04-06 18:12:59 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2009-04-17 14:06:27 -0400
commit	0cf24a7dc9123ddf63c413b6d4b38017b19db713 (patch)
tree	7a11d6b10d3f7d32ad2b08fa617313f897fbb10c
parent	7af7467efa64affc6505375ceac97d68cfb58e94 (diff)

diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 91a96292e6bb..b0127a3290d0 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c
@@ -1343,6 +1343,17 @@ binder_transaction(struct binder_proc proc, struct binder_thread thread,
1343	if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {	1343	if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
1344	struct binder_transaction *tmp;	1344	struct binder_transaction *tmp;
1345	tmp = thread->transaction_stack;	1345	tmp = thread->transaction_stack;
		1346	if (tmp->to_thread != thread) {
		1347	binder_user_error("binder: %d:%d got new "
		1348	"transaction with bad transaction stack"
		1349	", transaction %d has target %d:%d\n",
		1350	proc->pid, thread->pid, tmp->debug_id,
		1351	tmp->to_proc ? tmp->to_proc->pid : 0,
		1352	tmp->to_thread ?
		1353	tmp->to_thread->pid : 0);
		1354	return_error = BR_FAILED_REPLY;
		1355	goto err_bad_call_stack;
		1356	}
1346	while (tmp) {	1357	while (tmp) {
1347	if (tmp->from && tmp->from->proc == target_proc)	1358	if (tmp->from && tmp->from->proc == target_proc)
1348	target_thread = tmp->from;	1359	target_thread = tmp->from;