From 0cf24a7dc9123ddf63c413b6d4b38017b19db713 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:59 -0700 Subject: Staging: binder: Prevent the wrong thread from adding a transaction to the stack. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a thread is part of a transaction stack, it is only allowed to make another call if it was the target of the top transaction on the stack. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'drivers/staging') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 91a96292e6b..b0127a3290d 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1343,6 +1343,17 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread, if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { struct binder_transaction *tmp; tmp = thread->transaction_stack; + if (tmp->to_thread != thread) { + binder_user_error("binder: %d:%d got new " + "transaction with bad transaction stack" + ", transaction %d has target %d:%d\n", + proc->pid, thread->pid, tmp->debug_id, + tmp->to_proc ? tmp->to_proc->pid : 0, + tmp->to_thread ? + tmp->to_thread->pid : 0); + return_error = BR_FAILED_REPLY; + goto err_bad_call_stack; + } while (tmp) { if (tmp->from && tmp->from->proc == target_proc) target_thread = tmp->from; -- cgit v1.2.3-70-g09d2