diff options
| author | Todd Kjos <tkjos@android.com> | 2017-11-27 09:32:33 -0800 |
|---|---|---|
| committer | Siddharth Kapoor <ksiddharth@google.com> | 2018-11-29 04:30:40 +0000 |
| commit | 10dfe3d271a9053ef6ecf16ac34389ebae34c7e0 (patch) | |
| tree | 5febe9275561ef7b6be341fb9668a209c51074a1 /tools/perf/scripts/python/syscall-counts.py | |
| parent | 143582c95e0c27a01c41ab1e6041a90b9138f9ca (diff) | |
UPSTREAM: binder: fix proc->files use-after-free
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to protect proc->files with a mutex to prevent cleanup
while in use.
Bug: 120025789
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I40982bb0b4615bda5459538c20eb2a913964042c
Diffstat (limited to 'tools/perf/scripts/python/syscall-counts.py')
0 files changed, 0 insertions, 0 deletions