diff options
| author | Christopher Lais <chris+android@zenthought.org> | 2010-05-01 15:51:48 -0500 |
|---|---|---|
| committer | Iliyan Malchev <malchev@google.com> | 2011-05-23 15:43:38 -0700 |
| commit | 96bc9717a70da31dba573aa89cf16624eefeb880 (patch) | |
| tree | c2689878d577996d3c53df3a69a365ff17df8107 /include/linux/bfin_mac.h | |
| parent | f862b627d4fb6ff57b717c00489aaee9da3caedb (diff) | |
binder: Fix memory corruption via page aliasing
binder_deferred_release was not unmapping the page from the buffer
before freeing it, causing memory corruption. This only happened
when page(s) had not been freed by binder_update_page_range, which
properly unmaps the pages.
This only happens on architectures with VIPT aliasing.
To reproduce, create a program which opens, mmaps, munmaps, then closes
the binder very quickly. This should leave a page allocated when the
binder is released. When binder_deferrred_release is called on the
close, the page will remain mapped to the address in the linear
proc->buffer. Later, we may map the same physical page to a different
virtual address that has different coloring, and this may cause
aliasing to occur.
PAGE_POISONING will greatly increase your chances of noticing any
problems.
Change-Id: I6941bf212881b8bf846bdfda43d3609c7ae4892e
Signed-off-by: Christopher Lais <chris+android@zenthought.org>
Diffstat (limited to 'include/linux/bfin_mac.h')
0 files changed, 0 insertions, 0 deletions