diff options
| author | Riley Andrews <riandrews@android.com> | 2015-05-28 15:10:14 -0700 |
|---|---|---|
| committer | Simon Shields <keepcalm444@gmail.com> | 2016-03-15 18:24:23 +1100 |
| commit | 14f55d438ceb4fb380151f601a78a937e1bb7e5e (patch) | |
| tree | b0790f1107e661e5a94987556edd400366a8319b | |
| parent | ceb67cdf816dafbd03a31821eaaf718cb180c414 (diff) | |
| download | kernel_samsung_smdk4412-14f55d438ceb4fb380151f601a78a937e1bb7e5e.zip kernel_samsung_smdk4412-14f55d438ceb4fb380151f601a78a937e1bb7e5e.tar.gz kernel_samsung_smdk4412-14f55d438ceb4fb380151f601a78a937e1bb7e5e.tar.bz2 | |
android: drivers: workaround debugfs race in binder
If a /d/binder/proc/[pid] entry is kept open after linux has
torn down the associated process, binder_proc_show can deference
an invalid binder_proc that has been stashed in the debugfs
inode. Validate that the binder_proc ptr passed into binder_proc_show
has not been freed by looking for it within the global process list
whilst the global lock is held. If the ptr is not valid, print nothing.
Bug 19587483
Change-Id: I4abc6443d96cca6500608976cded5ff3d1697d33
Signed-off-by: Riley Andrews <riandrews@android.com>
| -rw-r--r-- | drivers/staging/android/binder.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index aad750b..42b23f6 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -3545,13 +3545,25 @@ static int binder_transactions_show(struct seq_file *m, void *unused) static int binder_proc_show(struct seq_file *m, void *unused) { + struct binder_proc *itr; struct binder_proc *proc = m->private; + struct hlist_node *pos; int do_lock = !binder_debug_no_lock; + bool valid_proc = false; if (do_lock) - mutex_lock(&binder_lock); - seq_puts(m, "binder proc state:\n"); - print_binder_proc(m, proc, 1); + binder_lock(__func__); + + hlist_for_each_entry(itr, pos, &binder_procs, proc_node) { + if (itr == proc) { + valid_proc = true; + break; + } + } + if (valid_proc) { + seq_puts(m, "binder proc state:\n"); + print_binder_proc(m, proc, 1); + } if (do_lock) mutex_unlock(&binder_lock); return 0; |