Staging: binder: Prevent the wrong thread from adding a transaction to the stack.

If a thread is part of a transaction stack, it is only allowed to make
another call if it was the target of the top transaction on the stack.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index 91a9629..b0127a3 100644 (file)
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -1343,6 +1343,17 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread,
                if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
                        struct binder_transaction *tmp;
                        tmp = thread->transaction_stack;
+                       if (tmp->to_thread != thread) {
+                               binder_user_error("binder: %d:%d got new "
+                                       "transaction with bad transaction stack"
+                                       ", transaction %d has target %d:%d\n",
+                                       proc->pid, thread->pid, tmp->debug_id,
+                                       tmp->to_proc ? tmp->to_proc->pid : 0,
+                                       tmp->to_thread ?
+                                       tmp->to_thread->pid : 0);
+                               return_error = BR_FAILED_REPLY;
+                               goto err_bad_call_stack;
+                       }
                        while (tmp) {
                                if (tmp->from && tmp->from->proc == target_proc)
                                        target_thread = tmp->from;