diff options
author | Tao Huang <huangtao@rock-chips.com> | 2018-12-19 18:46:58 +0800 |
---|---|---|
committer | Tao Huang <huangtao@rock-chips.com> | 2018-12-19 18:46:58 +0800 |
commit | 04026c23c8d802ed28790c3f2861e779635ca46f (patch) | |
tree | cd08dbeeff4756bea34b04c743a3694c6dc7f5ad /drivers/android | |
parent | 8f3cd5ef835c52e645b83a906b4d9d0fa265a814 (diff) | |
parent | b6b5ee6576282dc102dfc69463d1147116b2e732 (diff) |
Merge branch 'linux-linaro-lsk-v4.4-android' of git://git.linaro.org/kernel/linux-linaro-stable.git
* linux-linaro-lsk-v4.4-android: (812 commits)
Linux 4.4.167
mac80211: ignore NullFunc frames in the duplicate detection
mac80211: fix reordering of buffered broadcast packets
mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
mac80211: Clear beacon_int in ieee80211_do_stop
mac80211_hwsim: Timer should be initialized before device registered
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
tty: serial: 8250_mtk: always resume the device in probe.
cifs: Fix separator when building path from dentry
Staging: lustre: remove two build warnings
xhci: Prevent U1/U2 link pm states if exit latency is too long
SUNRPC: Fix leak of krb5p encode pages
virtio/s390: fix race in ccw_io_helper()
virtio/s390: avoid race on vcdev->config
ALSA: pcm: Fix interval evaluation with openmin/max
ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
ALSA: pcm: Fix starvation on down_write_nonblock()
ALSA: hda: Add support for AMD Stoney Ridge
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
USB: check usb_get_extra_descriptor for proper size
...
Conflicts:
drivers/gpu/drm/rockchip/rockchip_drm_drv.c
drivers/usb/host/xhci-ring.c
Change-Id: I4304b0875908403a7d88a0d77da52cea04563c11
Diffstat (limited to 'drivers/android')
-rw-r--r-- | drivers/android/binder.c | 21 | ||||
-rw-r--r-- | drivers/android/binder_alloc.c | 14 | ||||
-rw-r--r-- | drivers/android/binder_alloc.h | 3 |
3 files changed, 19 insertions, 19 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d739baf6cad2..ddccbcadcb63 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3085,7 +3085,6 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - t->buffer->allow_user_free = 0; t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; t->buffer->target_node = target_node; @@ -3576,14 +3575,18 @@ static int binder_thread_write(struct binder_proc *proc, buffer = binder_alloc_prepare_to_free(&proc->alloc, data_ptr); - if (buffer == NULL) { - binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", - proc->pid, thread->pid, (u64)data_ptr); - break; - } - if (!buffer->allow_user_free) { - binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n", - proc->pid, thread->pid, (u64)data_ptr); + if (IS_ERR_OR_NULL(buffer)) { + if (PTR_ERR(buffer) == -EPERM) { + binder_user_error( + "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n", + proc->pid, thread->pid, + (u64)data_ptr); + } else { + binder_user_error( + "%d:%d BC_FREE_BUFFER u%016llx no match\n", + proc->pid, thread->pid, + (u64)data_ptr); + } break; } binder_debug(BINDER_DEBUG_FREE_BUFFER, diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 1d9db2ef26bd..baecb4bf9d9b 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -149,14 +149,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked( else { /* * Guard against user threads attempting to - * free the buffer twice + * free the buffer when in use by kernel or + * after it's already been freed. */ - if (buffer->free_in_progress) { - pr_err("%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", - alloc->pid, current->pid, (u64)user_ptr); - return NULL; - } - buffer->free_in_progress = 1; + if (!buffer->allow_user_free) + return ERR_PTR(-EPERM); + buffer->allow_user_free = 0; return buffer; } } @@ -463,7 +461,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked( rb_erase(best_fit, &alloc->free_buffers); buffer->free = 0; - buffer->free_in_progress = 0; + buffer->allow_user_free = 0; binder_insert_allocated_buffer_locked(alloc, buffer); binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, "%d: binder_alloc_buf size %zd got %pK\n", diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h index 9ef64e563856..fb3238c74c8a 100644 --- a/drivers/android/binder_alloc.h +++ b/drivers/android/binder_alloc.h @@ -50,8 +50,7 @@ struct binder_buffer { unsigned free:1; unsigned allow_user_free:1; unsigned async_transaction:1; - unsigned free_in_progress:1; - unsigned debug_id:28; + unsigned debug_id:29; struct binder_transaction *transaction; |