mirror of
https://github.com/torvalds/linux.git
synced 2025-10-31 16:48:26 +02:00
d90eeb8ecd
There are no scenarios where a weak increment is invalid on binder_node.
The only possible case where it could be invalid is if the kernel
delivers BR_DECREFS to the process that owns the node, and then
increments the weak refcount again, effectively "reviving" a dead node.
However, that is not possible: when the BR_DECREFS command is delivered,
the kernel removes and frees the binder_node. The fact that you were
able to call binder_inc_node_nilocked() implies that the node is not yet
destroyed, which implies that BR_DECREFS has not been delivered to
userspace, so incrementing the weak refcount is valid.
Note that it's currently possible to trigger this condition if the owner
calls BINDER_THREAD_EXIT while node->has_weak_ref is true. This causes
BC_INCREFS on binder_ref instances to fail when they should not.
Cc: stable@vger.kernel.org
Fixes:
|
||
|---|---|---|
| .. | ||
| binder | ||
| tests | ||
| binder.c | ||
| binder_alloc.c | ||
| binder_alloc.h | ||
| binder_internal.h | ||
| binder_netlink.c | ||
| binder_netlink.h | ||
| binder_trace.h | ||
| binderfs.c | ||
| dbitmap.h | ||
| Kconfig | ||
| Makefile | ||