diff options
| author | Linus Torvalds | 2022-09-02 10:50:08 -0700 |
|---|---|---|
| committer | Linus Torvalds | 2022-09-02 10:50:08 -0700 |
| commit | ffb384c269dce238c588e0e8e3a85c0ec098a904 (patch) | |
| tree | c9630ab81ed615b6c5bfee335317f1aff98d35e6 /drivers/android | |
| parent | fd59585c420df1fc2df33bea2ed925b3373fbae2 (diff) | |
| parent | 0f022aaac9ff2ceff683231b43923c650c90b47e (diff) | |
Merge tag 'char-misc-6.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc driver fixes from Greg KH:
"Here are some small char/misc and other driver fixes for 6.0-rc4.
Included in here are:
- binder fixes for previous fixes, and a few more fixes uncovered by
them.
- iio driver fixes
- soundwire driver fixes
- fastrpc driver fixes for memory corruption on some hardware
- peci driver fix
- mhi driver fix
All of these have been in linux-next with no reported problems"
* tag 'char-misc-6.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
binder: fix alloc->vma_vm_mm null-ptr dereference
misc: fastrpc: increase maximum session count
misc: fastrpc: fix memory corruption on open
misc: fastrpc: fix memory corruption on probe
soundwire: qcom: fix device status array range
bus: mhi: host: Fix up null pointer access in mhi_irq_handler
soundwire: qcom: remove duplicate reset control get
iio: light: cm32181: make cm32181_pm_ops static
iio: ad7292: Prevent regulator double disable
dt-bindings: iio: gyroscope: bosch,bmg160: correct number of pins
iio: adc: mcp3911: use correct formula for AD conversion
iio: adc: mcp3911: correct "microchip,device-addr" property
Revert "binder_alloc: Add missing mmap_lock calls when using the VMA"
binder_alloc: Add missing mmap_lock calls when using the VMA
binder: fix UAF of ref->proc caused by race condition
iio: light: cm3605: Fix an error handling path in cm3605_probe()
iio: adc: mcp3911: make use of the sign bit
peci: cpu: Fix use-after-free in adev_release()
peci: aspeed: fix error check return value of platform_get_irq()
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binder.c | 12 | ||||
| -rw-r--r-- | drivers/android/binder_alloc.c | 4 |
2 files changed, 14 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c964d7c8c384..6428f6be69e3 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1385,6 +1385,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc, } ret = binder_inc_ref_olocked(ref, strong, target_list); *rdata = ref->data; + if (ret && ref == new_ref) { + /* + * Cleanup the failed reference here as the target + * could now be dead and have already released its + * references by now. Calling on the new reference + * with strong=0 and a tmp_refs will not decrement + * the node. The new_ref gets kfree'd below. + */ + binder_cleanup_ref_olocked(new_ref); + ref = NULL; + } + binder_proc_unlock(proc); if (new_ref && ref != new_ref) /* diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 51f4e1c5cd01..9b1778c00610 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -322,7 +322,6 @@ static inline void binder_alloc_set_vma(struct binder_alloc *alloc, */ if (vma) { vm_start = vma->vm_start; - alloc->vma_vm_mm = vma->vm_mm; mmap_assert_write_locked(alloc->vma_vm_mm); } else { mmap_assert_locked(alloc->vma_vm_mm); @@ -795,7 +794,6 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc, binder_insert_free_buffer(alloc, buffer); alloc->free_async_space = alloc->buffer_size / 2; binder_alloc_set_vma(alloc, vma); - mmgrab(alloc->vma_vm_mm); return 0; @@ -1091,6 +1089,8 @@ static struct shrinker binder_shrinker = { void binder_alloc_init(struct binder_alloc *alloc) { alloc->pid = current->group_leader->pid; + alloc->vma_vm_mm = current->mm; + mmgrab(alloc->vma_vm_mm); mutex_init(&alloc->mutex); INIT_LIST_HEAD(&alloc->buffers); } |