binder: protect against two threads freeing buffer

Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Todd Kjos <tkjos@android.com> 2017-06-29 12:01:51 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-07-17 14:47:29 +0200
commit: 53d311cfa19ad35beba74d706effee02c86d198f (patch)
tree: 669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c
parent: e4cffcf4bf8b540e150c311e70559d735cc95358 (diff)
download: linux-53d311cfa19ad35beba74d706effee02c86d198f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 3bbfb2455b70..a1912a22c89c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2024,8 +2024,8 @@ static int binder_thread_write(struct binder_proc *proc,
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
 
-			buffer = binder_alloc_buffer_lookup(&proc->alloc,
-							    data_ptr);
+			buffer = binder_alloc_prepare_to_free(&proc->alloc,
+							      data_ptr);
 			if (buffer == NULL) {
 				binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
 					proc->pid, thread->pid, (u64)data_ptr);
author	Todd Kjos <tkjos@android.com>	2017-06-29 12:01:51 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-07-17 14:47:29 +0200
commit	53d311cfa19ad35beba74d706effee02c86d198f (patch)
tree	669eb2b29fbf3b3c0dd24e8eb16212017eb0f24d /drivers/android/binder.c
parent	e4cffcf4bf8b540e150c311e70559d735cc95358 (diff)
download	linux-53d311cfa19ad35beba74d706effee02c86d198f.tar.gz