From 2c30753aeac9cde03cc8a26c069fa5427e7159fe Mon Sep 17 00:00:00 2001 From: Todd Kjos Date: Thu, 23 Jan 2020 10:44:53 +0530 Subject: [PATCH] ANDROID: fix binder change in merge of 4.9.188 The 4.9.188 merge was missing the change to the binder driver associated with the linux-4.9.y commit 16903f1a5ba7 ("coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping"). It was left out because the android-4.9 binder driver has been significantly refactored compared to linux-4.9.y. This patch applies the missing change from that patch to the binder driver. Mot-CRs-fixed: (CR) CVE-Fixed: CVE-2019-11599 BUG: 131964235 Change-Id: I1402cf3c28f1336da9d942abeb322f71a9b8138b Signed-off-by: Pachipulusu Bhanu Prakash Reviewed-on: https://gerrit.mot.com/1473937 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver Tested-by: Jira Key Reviewed-by: Xiangpo Zhao Submit-Approved: Jira Key (cherry picked from commit 99335914ba19281d60062a035e452e5527cf51a3) --- drivers/android/binder_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 16e580006c35..55bf52509a31 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -218,6 +218,11 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate, if (mm) { down_read(&mm->mmap_sem); + if (!mmget_still_valid(mm)) { + if (allocate == 0) + goto free_range; + goto err_no_vma; + } vma = alloc->vma; } -- 2.20.1