ANDROID: binder: Add strong ref checks

Prevent using a binder_ref with only weak references where a strong reference is required. BUG: 30445380 Signed-off-by: Arve Hjønnevåg <[email protected]> Git-repo: https://android.googlesource.com/kernel/msm.git Git-commit: 5e2a2bc89956ae1c739854403408059144b23c28 Signed-off-by: Ravi Kumar Siddojigari <[email protected]> Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca Signed-off-by: Ravi Kumar Siddojigari <[email protected]>
carlitros900 · Jun 10, 2019 · 4116150 · 4116150
1 parent 717b00f
commit 4116150
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
@@ -1921,20 +1921,24 @@ static int binder_dec_node(struct binder_node *node, int strong, int internal)
 	return 0;
 }
 
-static struct binder_ref *binder_get_ref(struct binder_proc *proc, uint32_t desc)
+static struct binder_ref *binder_get_ref(struct binder_proc *proc, uint32_t desc, bool need_strong_ref)
 {
 	struct rb_node *n = proc->refs_by_desc.rb_node;
 	struct binder_ref *ref;
 
 	while (n) {
 		ref = rb_entry(n, struct binder_ref, rb_node_desc);
 
-		if (desc < ref->desc)
+		if (desc < ref->desc) {
 			n = n->rb_left;
-		else if (desc > ref->desc)
+		}  else if (desc > ref->desc) {
 			n = n->rb_right;
-		else
+		} else if (need_strong_ref && !ref->strong) {
+			binder_user_error("tried to use weak ref as strong ref\n");
+			return NULL;
+		}  else {
 			return ref;
+                }
 	}
 	return NULL;
 }
@@ -2198,7 +2202,8 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
 			break;
 		case BINDER_TYPE_HANDLE:
 		case BINDER_TYPE_WEAK_HANDLE:{
-				struct binder_ref *ref = binder_get_ref(proc, fp->handle);
+				struct binder_ref *ref = binder_get_ref(proc, fp->handle,
+						fp->type == BINDER_TYPE_HANDLE);
 
 				if (ref == NULL) {
 					pr_err
@@ -2448,7 +2453,7 @@ static void binder_transaction(struct binder_proc *proc,
 		if (tr->target.handle) {
 			struct binder_ref *ref;
 
-			ref = binder_get_ref(proc, tr->target.handle);
+			ref = binder_get_ref(proc, tr->target.handle, true);
 			if (ref == NULL) {
 				binder_user_error
 				    ("%d:%d got transaction to invalid handle\n",
@@ -2718,7 +2723,8 @@ static void binder_transaction(struct binder_proc *proc,
 			break;
 		case BINDER_TYPE_HANDLE:
 		case BINDER_TYPE_WEAK_HANDLE:{
-				struct binder_ref *ref = binder_get_ref(proc, fp->handle);
+				struct binder_ref *ref = binder_get_ref(proc, fp->handle,
+						        fp->type == BINDER_TYPE_HANDLE);
 
 				if (ref == NULL) {
 					binder_user_error
@@ -3015,7 +3021,9 @@ static int binder_thread_write(struct binder_proc *proc,
 					ref->desc);
 				}
 			} else
-				ref = binder_get_ref(proc, target);
+				ref = binder_get_ref(proc, target,
+                                                     cmd == BC_ACQUIRE ||
+						     cmd == BC_RELEASE);
 			if (ref == NULL) {
 				binder_user_error("%d:%d refcount change on invalid ref %d\n",
 					proc->pid, thread->pid, target);
@@ -3220,7 +3228,7 @@ static int binder_thread_write(struct binder_proc *proc,
 			if (get_user(cookie, (binder_uintptr_t __user *) ptr))
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
-			ref = binder_get_ref(proc, target);
+			ref = binder_get_ref(proc, target, false);
 			if (ref == NULL) {
 				binder_user_error("%d:%d %s invalid ref %d\n",
 					proc->pid, thread->pid,