Revert "Revert "binder: Prevent context manager from incrementing ref 0""

This reverts commit f0416df755. Reason for revert: This was a "temporary" reversion to workaround what is believed to be a user-space issue. Change-Id: I5322aecfe57cd8237e6657525eb33975c4840059 Bug: 166779391 Signed-off-by: Todd Kjos <tkjos@google.com>
2026-06-06 10:58:48 +09:00 · 2021-08-05 22:01:09 +00:00
parent d74067d69e
commit d1c6df6dc8
1 changed files with 14 additions and 1 deletions
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2720,6 +2720,12 @@ static void binder_transaction(struct binder_proc *proc,
 			goto err_dead_binder;
 		}
 		e->to_node = target_node->debug_id;
+		if (WARN_ON(proc == target_proc)) {
+			return_error = BR_FAILED_REPLY;
+			return_error_param = -EINVAL;
+			return_error_line = __LINE__;
+			goto err_invalid_target_handle;
+		}
 		if (security_binder_transaction(proc->tsk,
 						target_proc->tsk) < 0) {
 			return_error = BR_FAILED_REPLY;
@@ -3407,10 +3413,17 @@ static int binder_thread_write(struct binder_proc *proc,

 				mutex_lock(&context->context_mgr_node_lock);
 				ctx_mgr_node = context->binder_context_mgr_node;
-				if (ctx_mgr_node)
+				if (ctx_mgr_node) {
+					if (ctx_mgr_node->proc == proc) {
+						binder_user_error("%d:%d context manager tried to acquire desc 0\n",
+								  proc->pid, thread->pid);
+						mutex_unlock(&context->context_mgr_node_lock);
+						return -EINVAL;
+					}
 					ret = binder_inc_ref_for_node(
 							proc, ctx_mgr_node,
 							strong, NULL, &rdata);
+				}
 				mutex_unlock(&context->context_mgr_node_lock);
 			}
 			if (ret)