Merge remote-tracking branch 'aosp/android-4.9-q' into android-4.9-q-hikey4.9.325-699e4947e350-20220818-1085

* aosp/android-4.9-q: FROMLIST: binder: fix UAF of ref->proc caused by race condition
author: Linaro CI <ci-bot@linaro.org> 2022-08-18 07:49:55 +0000
committer: Linaro CI <ci-bot@linaro.org> 2022-08-18 07:49:55 +0000
commit: 0e14cd465c8ccf4d7c3c33cea950638fee2b3851 (patch)
tree: ad2a52d802abd90d30c002fe1cc8577c2826847c
parent: 49b2317080dcd8a0b5021f2988946c88db9df7c6 (diff)
parent: 699e4947e35070a91ae4008dcbc013ed525b4c11 (diff)
download: hikey-linaro-4.9.325-699e4947e350-20220818-1085.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index ee91741446c7..3d4009dc7c81 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1991,6 +1991,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc,
 	}
 	ret = binder_inc_ref_olocked(ref, strong, target_list);
 	*rdata = ref->data;
+	if (ret && ref == new_ref) {
+		/*
+		 * Cleanup the failed reference here as the target
+		 * could now be dead and have already released its
+		 * references by now. Calling on the new reference
+		 * with strong=0 and a tmp_refs will not decrement
+		 * the node. The new_ref gets kfree'd below.
+		 */
+		binder_cleanup_ref_olocked(new_ref);
+		ref = NULL;
+	}
+
 	binder_proc_unlock(proc);
 	if (new_ref && ref != new_ref)
 		/*
author	Linaro CI <ci-bot@linaro.org>	2022-08-18 07:49:55 +0000
committer	Linaro CI <ci-bot@linaro.org>	2022-08-18 07:49:55 +0000
commit	0e14cd465c8ccf4d7c3c33cea950638fee2b3851 (patch)
tree	ad2a52d802abd90d30c002fe1cc8577c2826847c
parent	49b2317080dcd8a0b5021f2988946c88db9df7c6 (diff)
parent	699e4947e35070a91ae4008dcbc013ed525b4c11 (diff)
download	hikey-linaro-4.9.325-699e4947e350-20220818-1085.tar.gz