diff options
| author | Alice Ryhl <aliceryhl@google.com> | 2025-11-11 14:23:33 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-01-02 12:57:05 +0100 |
| commit | bee1f36801dba1d079c9eaf9a7d1263ea90cbaff (patch) | |
| tree | 22087a60a268ec650e23b4cff7d25d04aea6d3e6 /drivers/android | |
| parent | 505e8c7f6ca1c3e8f4caa2bc598f47fa3ac664e3 (diff) | |
rust_binder: avoid mem::take on delivered_deaths
commit 6c37bebd8c926ad01ef157c0d123633a203e5c0d upstream.
Similar to the previous commit, List::remove is used on
delivered_deaths, so do not use mem::take on it as that may result in
violations of the List::remove safety requirements.
I don't think this particular case can be triggered because it requires
fd close to run in parallel with an ioctl on the same fd. But let's not
tempt fate.
Cc: stable@vger.kernel.org
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://patch.msgid.link/20251111-binder-fix-list-remove-v1-2-8ed14a0da63d@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binder/process.rs | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/process.rs index 7607353a5e92..ef4dbb2b571c 100644 --- a/drivers/android/binder/process.rs +++ b/drivers/android/binder/process.rs @@ -1362,8 +1362,12 @@ impl Process { work.into_arc().cancel(); } - let delivered_deaths = take(&mut self.inner.lock().delivered_deaths); - drop(delivered_deaths); + // Clear delivered_deaths list. + // + // Scope ensures that MutexGuard is dropped while executing the body. + while let Some(delivered_death) = { self.inner.lock().delivered_deaths.pop_front() } { + drop(delivered_death); + } // Free any resources kept alive by allocated buffers. let omapping = self.inner.lock().mapping.take(); |