binder_deferred_release was not unmapping the page from the buffer
before freeing it, causing memory corruption. This only happened
when page(s) had not been freed by binder_update_page_range, which
properly unmaps the pages.
To reproduce, create a program which opens, mmaps, munmaps, then closes
the binder very quickly. This should leave a page allocated when the
binder is released. Different alloc_page / area->addr combinations
with shared area->addr need to happen for the problem to have an
effect, because otherwise the buffer will just have the same pages
mapped to it as before.
PAGE_POISONING will greatly increase your chances of noticing any
changes. Adding debug to show the non-contiguously mapped page
addresses (phys_to_virt(page_to_phys(page->pages[i]))) on allocation
and free in binder_deferred_release may help with verifying.
Change-Id: I6941bf212881b8bf846bdfda43d3609c7ae4892e
---
drivers/staging/android/binder.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index cd53c64..1d06967 100644
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -3026,11 +3026,13 @@ static void binder_deferred_release(struct binder_proc
*proc)
int i;
for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) {
if (proc->pages[i]) {
+ void *page_addr = proc->buffer + i * PAGE_SIZE;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
"binder_release: %d: "
"page %d at %p not freed\n",
proc->pid, i,
- proc->buffer + i * PAGE_SIZE);
+ page_addr);
+ unmap_kernel_range((unsigned long)page_addr,
PAGE_SIZE);
__free_page(proc->pages[i]);
page_count++;
}
--
1.7.1
--
unsubscribe: [email protected]
website: http://groups.google.com/group/android-kernel
