Evolution-X-Devices/kernel_google_wahoo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

binder: fix rb_insert_color crash

Browse Source 
When inserting a new binder_thread into the proc->threads
rbtree, the "parent" node in the tree is not recalculated
if the tree becomes empty between the initial lookup and
the recalc of the insertion point in binder_get_thread().
If the tree is empty on the recalc, the parent found in
the first lookup was used, corrupting the tree and causing
the crash. Reinitialize the parent pointer between lookups.

Bug: 62931241
Bug: 62272866
Bug: 62193133
Test: tested manually
Change-Id: I039cfe419022a39441220618e8a92433ecc2a2c5
Signed-off-by: Todd Kjos <tkjos@google.com>
This commit is contained in:
Todd Kjos
2017-07-05 16:29:57 -07:00
committed by Pat Tjin
parent b3b46e7ac9
commit 8de4509205
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/android/binder.c
View File

@@ -3629,6 +3629,7 @@ static struct binder_thread *binder_get_thread(struct binder_proc *proc)
* to recalc the insertion point in the rb tree.
*/
p = &proc->threads.rb_node;
parent = NULL;
while (*p) {
parent = *p;
thread = rb_entry(parent,