summaryrefslogtreecommitdiff
path: root/drivers/android/binder.c
diff options
context:
space:
mode:
authorJoel Stanley <joel@jms.id.au>2020-08-31 03:46:52 +0300
committerJoel Stanley <joel@jms.id.au>2020-08-31 03:46:57 +0300
commit0dd0c8c492fa70707ca4f0d36dcb2e3c64105b16 (patch)
treea420abd8f26264544246602c60d161a7cc4de390 /drivers/android/binder.c
parent31d8605658d37d9197a989838508481d5dc1d8bc (diff)
parent9ece50d8a470ca7235ffd6ac0f9c5f0f201fe2c8 (diff)
downloadlinux-dev-5.8.tar.xz
Merge tag 'v5.8.5' into dev-5.8dev-5.8
This is the 5.8.5 stable release Signed-off-by: Joel Stanley <joel@jms.id.au>
Diffstat (limited to 'drivers/android/binder.c')
-rw-r--r--drivers/android/binder.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f50c5f182bb5..5b310eea9e52 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2982,6 +2982,12 @@ static void binder_transaction(struct binder_proc *proc,
goto err_dead_binder;
}
e->to_node = target_node->debug_id;
+ if (WARN_ON(proc == target_proc)) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = -EINVAL;
+ return_error_line = __LINE__;
+ goto err_invalid_target_handle;
+ }
if (security_binder_transaction(proc->tsk,
target_proc->tsk) < 0) {
return_error = BR_FAILED_REPLY;
@@ -3635,10 +3641,17 @@ static int binder_thread_write(struct binder_proc *proc,
struct binder_node *ctx_mgr_node;
mutex_lock(&context->context_mgr_node_lock);
ctx_mgr_node = context->binder_context_mgr_node;
- if (ctx_mgr_node)
+ if (ctx_mgr_node) {
+ if (ctx_mgr_node->proc == proc) {
+ binder_user_error("%d:%d context manager tried to acquire desc 0\n",
+ proc->pid, thread->pid);
+ mutex_unlock(&context->context_mgr_node_lock);
+ return -EINVAL;
+ }
ret = binder_inc_ref_for_node(
proc, ctx_mgr_node,
strong, NULL, &rdata);
+ }
mutex_unlock(&context->context_mgr_node_lock);
}
if (ret)
generated by cgit v1.2.3 (git 2.39.0) at 2025-04-30 10:36:13 +0300