binder: clear rb nodes before inserting

RB nodes are not being initialized which means that node->__rb_parent_color is initialized to NULL due to kzalloc instead of being initialized as: node->__rb_parent_color = node This has not caused problems in the past, but recently resulted in regular crashes Bug: 62193133 Test: tested manually Signed-off-by: Todd Kjos <tkjos@google.com> Change-Id: I55c91196b85e614809bdb1a3f00bd121a03677c4
2017-05-31 08:54:19 -07:00
parent 19b6d95922
commit b5f8fb6ac0
1 changed files with 4 additions and 0 deletions
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -923,6 +923,7 @@ static struct binder_node *binder_new_node(struct binder_proc *proc,
 		     proc->pid, current->pid, node->debug_id,
 		     (u64)node->ptr, (u64)node->cookie);

+	RB_CLEAR_NODE(&node->rb_node);
 	rb_link_node(&node->rb_node, parent, p);
 	rb_insert_color(&node->rb_node, &proc->nodes);
 	node->local_weak_refs++;
@@ -1185,6 +1186,7 @@ static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc,
 			return ref;
 		}
 	}
+	RB_CLEAR_NODE(&new_ref->rb_node_node);
 	rb_link_node(&new_ref->rb_node_node, parent, p);
 	rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);

@@ -1208,6 +1210,7 @@ static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc,
 		else
 			BUG();
 	}
+	RB_CLEAR_NODE(&new_ref->rb_node_desc);
 	rb_link_node(&new_ref->rb_node_desc, parent, p);
 	rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
 	binder_proc_unlock(proc, __LINE__);
@@ -3640,6 +3643,7 @@ static struct binder_thread *binder_get_thread(struct binder_proc *proc)
 		/* This thread can't have been added */
 		BUG_ON(*p != NULL);

+		RB_CLEAR_NODE(&new_thread->rb_node);
 		rb_link_node(&new_thread->rb_node, parent, p);
 		rb_insert_color(&new_thread->rb_node, &proc->threads);
 		thread = new_thread;