diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-11-30 23:43:17 +0300 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-11-30 23:43:17 +0300 |
commit | b6839ef26e549de68c10359d45163b0cfb031183 (patch) | |
tree | b4cd7b04c0af7acbd7a3be8149410520075a3ad7 /drivers/android/binder_alloc.c | |
parent | d7aca8a78c8bc5d3707691aab13cb4f7f6de696f (diff) | |
parent | 6484a677294aa5d08c0210f2f387ebb9be646115 (diff) | |
download | linux-b6839ef26e549de68c10359d45163b0cfb031183.tar.xz |
Merge tag 'char-misc-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc fixes from Greg KH:
"Here are a few small char/misc driver fixes for 4.20-rc5 that resolve
a number of reported issues.
The "largest" here is the thunderbolt patch, which resolves an issue
with NVM upgrade, the smallest being some fsi driver fixes. There's
also a hyperv bugfix, and the usual binder bugfixes.
All of these have been in linux-next with no reported issues"
* tag 'char-misc-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
thunderbolt: Prevent root port runtime suspend during NVM upgrade
Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl()
binder: fix race that allows malicious free of live buffer
fsi: fsi-scom.c: Remove duplicate header
fsi: master-ast-cf: select GENERIC_ALLOCATOR
Diffstat (limited to 'drivers/android/binder_alloc.c')
-rw-r--r-- | drivers/android/binder_alloc.c | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 64fd96eada31..030c98f35cca 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -151,16 +151,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked( else { /* * Guard against user threads attempting to - * free the buffer twice + * free the buffer when in use by kernel or + * after it's already been freed. */ - if (buffer->free_in_progress) { - binder_alloc_debug(BINDER_DEBUG_USER_ERROR, - "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", - alloc->pid, current->pid, - (u64)user_ptr); - return NULL; - } - buffer->free_in_progress = 1; + if (!buffer->allow_user_free) + return ERR_PTR(-EPERM); + buffer->allow_user_free = 0; return buffer; } } @@ -500,7 +496,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked( rb_erase(best_fit, &alloc->free_buffers); buffer->free = 0; - buffer->free_in_progress = 0; + buffer->allow_user_free = 0; binder_insert_allocated_buffer_locked(alloc, buffer); binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, "%d: binder_alloc_buf size %zd got %pK\n", |