binder: Fix memory corruption via page aliasing

binder_deferred_release was not unmapping the page from the buffer
before freeing it, causing memory corruption.  This only happened
when page(s) had not been freed by binder_update_page_range, which
properly unmaps the pages.

This only happens on architectures with VIPT aliasing.

To reproduce, create a program which opens, mmaps, munmaps, then closes
the binder very quickly.  This should leave a page allocated when the
binder is released.  When binder_deferrred_release is called on the
close, the page will remain mapped to the address in the linear
proc->buffer.  Later, we may map the same physical page to a different
virtual address that has different coloring, and this may cause
aliasing to occur.

PAGE_POISONING will greatly increase your chances of noticing any
problems.

Change-Id: I6941bf212881b8bf846bdfda43d3609c7ae4892e

Signed-off-by: Christopher Lais <chris+android@zenthought.org>

0 files changed, 0 insertions, 0 deletions