On Tue, Oct 5, 2021 at 1:38 AM Casey Schaufler wrote:
> On 10/4/2021 3:28 PM, Jann Horn wrote:
> > On Mon, Oct 4, 2021 at 6:19 PM Casey Schaufler
> > wrote:
> >> On 10/1/2021 3:58 PM, Jann Horn wrote:
> >>> On Fri, Oct 1, 2021 at 10:10 PM Casey Schaufler
&g
On Mon, Oct 4, 2021 at 6:19 PM Casey Schaufler wrote:
> On 10/1/2021 3:58 PM, Jann Horn wrote:
> > On Fri, Oct 1, 2021 at 10:10 PM Casey Schaufler
> > wrote:
> >> On 10/1/2021 12:50 PM, Jann Horn wrote:
> >>> On Fri, Oct 1, 2021 at 9:36 PM Jann Horn wrote:
&
On Wed, Mar 17, 2021 at 7:00 PM Christian Brauner
wrote:
> On Mon, Mar 15, 2021 at 06:16:27PM -0700, Li Li wrote:
> > To improve the user experience when switching between recently used
> > applications, the background applications which are not currently needed
> > are cached in the memory. Norma
ove kernel vm_area for buffer space")
Cc: sta...@vger.kernel.org
Signed-off-by: Jann Horn
---
drivers/android/binder_alloc.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 21952dfa147d..5393856
vm_insert_page() does increment the page refcount, and just to be sure,
I've confirmed it by printing page_count(page[0].page_ptr) before and after
vm_insert_page(). It's 1 before, 2 afterwards, as expected.
Signed-off-by: Jann Horn
---
drivers/android/binder_alloc.c | 1 -
1 file
Hi!
There is a use-after-free read in print_binder_transaction_log_entry()
on ANDROID_BINDERFS kernels because
print_binder_transaction_log_entry() prints the char* e->context_name
as string, and if the transaction occurred on a binder device from
binderfs, e->context_name belongs to the binder de
On Sat, Jun 18, 2016 at 11:19 AM, ZhaoJunmin Zhao(Junmin)
wrote:
> 在 2016/6/16 6:39, Jann Horn 写道:
>> On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote:
>>> On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
>>>> If /dev/binder is opened and the opener
On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote:
> On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
>> If /dev/binder is opened and the opener process then e.g. calls execve,
>> proc->vma_vm_mm will still point to the location of the now-freed
>> mm_struct. I
Just something I noticed while looking at FD-passing code.
Didn't test the change.
BUG_ON is intentional, if someone rewrites the code to hit
that, it can be a security issue.
Signed-off-by: Jann Horn
---
drivers/android/binder.c | 18 ++
1 file changed, 14 insertions(