tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

binder: allow freeze notification for dead nodes

Alice points out that binder_request_freeze_notification() should not
return EINVAL when the relevant node is dead [1]. The node can die at
any point even if the user input is valid. Instead, allow the request
to be allocated but skip the initial notification for dead nodes. This
avoids propagating unnecessary errors back to userspace.

Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/all/CAH5fLghapZJ4PbbkC8V5A6Zay-_sgTzwVpwqk6RWWUNKKyJC_Q@mail.gmail.com/ [1]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-7-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Carlos Llamas and committed by
Greg Kroah-Hartman ca63c669 595ea72e

+13 -15
+13 -15
drivers/android/binder.c
··· 3856 3856 { 3857 3857 struct binder_ref_freeze *freeze; 3858 3858 struct binder_ref *ref; 3859 - bool is_frozen; 3860 3859 3861 3860 freeze = kzalloc(sizeof(*freeze), GFP_KERNEL); 3862 3861 if (!freeze) ··· 3871 3872 } 3872 3873 3873 3874 binder_node_lock(ref->node); 3874 - 3875 - if (ref->freeze || !ref->node->proc) { 3876 - binder_user_error("%d:%d invalid BC_REQUEST_FREEZE_NOTIFICATION %s\n", 3877 - proc->pid, thread->pid, 3878 - ref->freeze ? "already set" : "dead node"); 3875 + if (ref->freeze) { 3876 + binder_user_error("%d:%d BC_REQUEST_FREEZE_NOTIFICATION already set\n", 3877 + proc->pid, thread->pid); 3879 3878 binder_node_unlock(ref->node); 3880 3879 binder_proc_unlock(proc); 3881 3880 kfree(freeze); 3882 3881 return -EINVAL; 3883 3882 } 3884 - binder_inner_proc_lock(ref->node->proc); 3885 - is_frozen = ref->node->proc->is_frozen; 3886 - binder_inner_proc_unlock(ref->node->proc); 3887 3883 3888 3884 binder_stats_created(BINDER_STAT_FREEZE); 3889 3885 INIT_LIST_HEAD(&freeze->work.entry); 3890 3886 freeze->cookie = handle_cookie->cookie; 3891 3887 freeze->work.type = BINDER_WORK_FROZEN_BINDER; 3892 - freeze->is_frozen = is_frozen; 3893 - 3894 3888 ref->freeze = freeze; 3895 3889 3896 - binder_inner_proc_lock(proc); 3897 - binder_enqueue_work_ilocked(&ref->freeze->work, &proc->todo); 3898 - binder_wakeup_proc_ilocked(proc); 3899 - binder_inner_proc_unlock(proc); 3890 + if (ref->node->proc) { 3891 + binder_inner_proc_lock(ref->node->proc); 3892 + freeze->is_frozen = ref->node->proc->is_frozen; 3893 + binder_inner_proc_unlock(ref->node->proc); 3894 + 3895 + binder_inner_proc_lock(proc); 3896 + binder_enqueue_work_ilocked(&freeze->work, &proc->todo); 3897 + binder_wakeup_proc_ilocked(proc); 3898 + binder_inner_proc_unlock(proc); 3899 + } 3900 3900 3901 3901 binder_node_unlock(ref->node); 3902 3902 binder_proc_unlock(proc);