diff options
author | Alessandro Astone <ales.astone@gmail.com> | 2022-04-15 14:00:14 +0200 |
---|---|---|
committer | Lee Jones <joneslee@google.com> | 2022-12-22 15:59:34 +0000 |
commit | 9a744ad1ae8bd4ee3c7ef2e1ba1b1d3f99bd1108 (patch) | |
tree | 244f703d3e8c0eceea89f9bed440d096c6c1bb2c | |
parent | 37390b7cc1dea68e1c98ca73bf075930704f109a (diff) | |
download | common-android13-5.15-2022-12_r2.tar.gz |
UPSTREAM: binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0android13-5.15-2022-12_r2
Some android userspace is sending BINDER_TYPE_FDA objects with
num_fds=0. Like the previous patch, this is reproducible when
playing a video.
Before commit 09184ae9b575 BINDER_TYPE_FDA objects with num_fds=0
were 'correctly handled', as in no fixup was performed.
After commit 09184ae9b575 we aggregate fixup and skip regions in
binder_ptr_fixup structs and distinguish between the two by using
the skip_size field: if it's 0, then it's a fixup, otherwise skip.
When processing BINDER_TYPE_FDA objects with num_fds=0 we add a
skip region of skip_size=0, and this causes issues because now
binder_do_deferred_txn_copies will think this was a fixup region.
To address that, return early from binder_translate_fd_array to
avoid adding an empty skip region.
Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-1-ales.astone@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit ef38de9217a04c9077629a24652689d8fdb4c6c6)
Change-Id: I34fab41c0c1beee366a5df4724b263e4385ad13b
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Lee Jones <joneslee@google.com>
-rw-r--r-- | drivers/android/binder.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 574324c2ae07..0eafc8440773 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2717,6 +2717,9 @@ static int binder_translate_fd_array(struct list_head *pf_head, struct binder_proc *proc = thread->proc; int ret; + if (fda->num_fds == 0) + return 0; + fd_buf_size = sizeof(u32) * fda->num_fds; if (fda->num_fds >= SIZE_MAX / sizeof(u32)) { binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n", |