diff options
author | Christopher Lais <chris+android@zenthought.org> | 2010-05-01 15:51:48 -0500 |
---|---|---|
committer | Colin Cross <ccross@android.com> | 2010-09-29 17:49:34 -0700 |
commit | 9f69ebbf404cf49f9275c1310f1be8f303c87c9b (patch) | |
tree | 9cd2d9e8d9b3d27fee00402ac4674132d66e3801 /drivers | |
parent | 28633d10f9a9a0b9c315d244f2402c53375f77db (diff) |
binder: Fix memory corruption via page aliasing
binder_deferred_release was not unmapping the page from the buffer
before freeing it, causing memory corruption. This only happened
when page(s) had not been freed by binder_update_page_range, which
properly unmaps the pages.
This only happens on architectures with VIPT aliasing.
To reproduce, create a program which opens, mmaps, munmaps, then closes
the binder very quickly. This should leave a page allocated when the
binder is released. When binder_deferrred_release is called on the
close, the page will remain mapped to the address in the linear
proc->buffer. Later, we may map the same physical page to a different
virtual address that has different coloring, and this may cause
aliasing to occur.
PAGE_POISONING will greatly increase your chances of noticing any
problems.
Change-Id: I6941bf212881b8bf846bdfda43d3609c7ae4892e
Signed-off-by: Christopher Lais <chris+android@zenthought.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/staging/android/binder.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 6e1d78cece00..e13b4c483407 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -3036,11 +3036,14 @@ static void binder_deferred_release(struct binder_proc *proc) int i; for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { if (proc->pages[i]) { + void *page_addr = proc->buffer + i * PAGE_SIZE; binder_debug(BINDER_DEBUG_BUFFER_ALLOC, "binder_release: %d: " "page %d at %p not freed\n", proc->pid, i, - proc->buffer + i * PAGE_SIZE); + page_addr); + unmap_kernel_range((unsigned long)page_addr, + PAGE_SIZE); __free_page(proc->pages[i]); page_count++; } |