diff options
author | Arve Hjønnevåg <arve@android.com> | 2009-04-07 00:12:59 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-04-17 20:06:27 +0200 |
commit | 0cf24a7dc9123ddf63c413b6d4b38017b19db713 (patch) | |
tree | 7a11d6b10d3f7d32ad2b08fa617313f897fbb10c | |
parent | Staging: binder: Cast to uintptr_t instead of size_t when aligning pointers (diff) | |
download | linux-0cf24a7dc9123ddf63c413b6d4b38017b19db713.tar.xz linux-0cf24a7dc9123ddf63c413b6d4b38017b19db713.zip |
Staging: binder: Prevent the wrong thread from adding a transaction to the stack.
If a thread is part of a transaction stack, it is only allowed to make
another call if it was the target of the top transaction on the stack.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/android/binder.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 91a96292e6bb..b0127a3290d0 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1343,6 +1343,17 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread, if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { struct binder_transaction *tmp; tmp = thread->transaction_stack; + if (tmp->to_thread != thread) { + binder_user_error("binder: %d:%d got new " + "transaction with bad transaction stack" + ", transaction %d has target %d:%d\n", + proc->pid, thread->pid, tmp->debug_id, + tmp->to_proc ? tmp->to_proc->pid : 0, + tmp->to_thread ? + tmp->to_thread->pid : 0); + return_error = BR_FAILED_REPLY; + goto err_bad_call_stack; + } while (tmp) { if (tmp->from && tmp->from->proc == target_proc) target_thread = tmp->from; |