mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 13:53:33 +00:00
binder: Address corner cases in deferred copy and fixup
commit2d1746e3fd
upstream. When handling BINDER_TYPE_FDA object we are pushing a parent fixup with a certain skip_size but no scatter-gather copy object, since the copy is handled standalone. If BINDER_TYPE_FDA is the last children the scatter-gather copy loop will never stop to skip it, thus we are left with an item in the parent fixup list. This will trigger the BUG_ON(). This is reproducible in android when playing a video. We receive a transaction that looks like this: obj[0] BINDER_TYPE_PTR, parent obj[1] BINDER_TYPE_PTR, child obj[2] BINDER_TYPE_PTR, child obj[3] BINDER_TYPE_FDA, child Fixes:09184ae9b5
("binder: defer copies of pre-patched txn data") Acked-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@kernel.org> Signed-off-by: Alessandro Astone <ales.astone@gmail.com> Link: https://lore.kernel.org/r/20220415120015.52684-2-ales.astone@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
3bf989a7be
commit
62f8c07d84
1 changed files with 6 additions and 1 deletions
|
@ -2295,6 +2295,7 @@ static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
struct binder_sg_copy *sgc, *tmpsgc;
|
struct binder_sg_copy *sgc, *tmpsgc;
|
||||||
|
struct binder_ptr_fixup *tmppf;
|
||||||
struct binder_ptr_fixup *pf =
|
struct binder_ptr_fixup *pf =
|
||||||
list_first_entry_or_null(pf_head, struct binder_ptr_fixup,
|
list_first_entry_or_null(pf_head, struct binder_ptr_fixup,
|
||||||
node);
|
node);
|
||||||
|
@ -2349,7 +2350,11 @@ static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
|
||||||
list_del(&sgc->node);
|
list_del(&sgc->node);
|
||||||
kfree(sgc);
|
kfree(sgc);
|
||||||
}
|
}
|
||||||
BUG_ON(!list_empty(pf_head));
|
list_for_each_entry_safe(pf, tmppf, pf_head, node) {
|
||||||
|
BUG_ON(pf->skip_size == 0);
|
||||||
|
list_del(&pf->node);
|
||||||
|
kfree(pf);
|
||||||
|
}
|
||||||
BUG_ON(!list_empty(sgc_head));
|
BUG_ON(!list_empty(sgc_head));
|
||||||
|
|
||||||
return ret > 0 ? -EINVAL : ret;
|
return ret > 0 ? -EINVAL : ret;
|
||||||
|
|
Loading…
Reference in a new issue