]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4d0ee2b)
ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
authorArve Hjønnevåg <arve@android.com>
Mon, 24 Oct 2016 13:20:30 +0000 (15:20 +0200)
committerJiri Slaby <jslaby@suse.cz>
Tue, 22 Nov 2016 19:43:38 +0000 (20:43 +0100)
commit 4afb604e2d14d429ac9e1fd84b952602853b2df5 upstream.

Prevents leaking pointers between processes

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
drivers/staging/android/binder.c patch | blob | blame | history

diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index 8a436dae9b77d42237b32166ca05e39f98a886d5..a29a383d160de07a0c3f72f9d86fed423202cc6c 100644 (file)
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -1541,7 +1541,9 @@ static void binder_transaction(struct binder_proc *proc,
                                fp->type = BINDER_TYPE_HANDLE;
                        else
                                fp->type = BINDER_TYPE_WEAK_HANDLE;
+                       fp->binder = NULL;
                        fp->handle = ref->desc;
+                       fp->cookie = NULL;
                        binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
                                       &thread->todo);
 
@@ -1584,7 +1586,9 @@ static void binder_transaction(struct binder_proc *proc,
                                        return_error = BR_FAILED_REPLY;
                                        goto err_binder_get_ref_for_node_failed;
                                }
+                               fp->binder = NULL;
                                fp->handle = new_ref->desc;
+                               fp->cookie = NULL;
                                binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
                                trace_binder_transaction_ref_to_ref(t, ref,
                                                                    new_ref);
@@ -1631,6 +1635,7 @@ static void binder_transaction(struct binder_proc *proc,
                        binder_debug(BINDER_DEBUG_TRANSACTION,
                                     "        fd %d -> %d\n", fp->handle, target_fd);
                        /* TODO: fput? */
+                       fp->binder = NULL;
                        fp->handle = target_fd;
                } break;
 
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git