> @@ -875,22 +871,34 @@ static void binder_free_thread(struct binder_thread
> *thread);
> static void binder_free_proc(struct binder_proc *proc);
> static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
>
> +struct files_struct *binder_get_files_struct(struct binder_proc *proc)
T
On Thu, Nov 16, 2017 at 09:48:13AM -0800, Todd Kjos wrote:
> > @@ -875,22 +871,34 @@ static void binder_free_thread(struct binder_thread
> > *thread);
> > static void binder_free_proc(struct binder_proc *proc);
> > static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
> >
> > +st
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to p
