Unverified Commit 0bc4f6ba authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!4668 [sync] PR-4646: binder: fix use-after-free in shinker's callback 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/4646 
 
PR sync from: Ze Zuo <zuoze1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/UVX5JB5CFTELOC2OI5RDIJKFQXXDYFA6/ 
 
https://gitee.com/src-openeuler/kernel/issues/I92HXG 
 
Link:https://gitee.com/openeuler/kernel/pulls/4668

 

Reviewed-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 78b6d1b2 c45134ed

drivers/android/binder_alloc.c

+5 −1
Original line number Diff line number Diff line
@@ -1002,7 +1002,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, 
		goto err_mmget;

	if (!mmap_read_trylock(mm))

		goto err_mmap_read_lock_failed;

	vma = binder_alloc_get_vma(alloc);

	vma = find_vma(mm, page_addr);

	if (vma && vma != binder_alloc_get_vma(alloc))

		goto err_invalid_vma;



	list_lru_isolate(lru, item);

	spin_unlock(lock);
@@ -1028,6 +1030,8 @@ enum lru_status binder_alloc_free_page(struct list_head *item, 
	mutex_unlock(&alloc->mutex);

	return LRU_REMOVED_RETRY;



err_invalid_vma:

	mmap_read_unlock(mm);

err_mmap_read_lock_failed:

	mmput_async(mm);

err_mmget: