Re: [PATCH] rust_binder: add ownership assertion to Node::add_death

[Onur Özkan]

On Tue, 09 Jun 2026 23:55:44 -0400
Georgios Androutsopoulos <georgeandrout13@xxxxxxxxx> wrote:

> The `// SAFETY:` comment in NodeDeath::set_cleared assumes that a
> NodeDeath is never inserted into the death list of any Node other than
> its owner. However, this invariant is not enforced by the safe function
> Node::add_death, which inserts NodeDeath into the death list without
> checking that death.node == self, leaving a risk for future code that
> may miss this implicit invariant and cause undefined behavior.
> 
> Add an assertion to make this precondition explicit and catch potential
> violations early.
> 
> Link: https://github.com/Rust-for-Linux/linux/issues/1237
> 
> Signed-off-by: Georgios Androutsopoulos <georgeandrout13@xxxxxxxxx>
> ---
>  drivers/android/binder/node.rs | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/android/binder/node.rs b/drivers/android/binder/node.rs
> index 69f757ff7461..20eaaefbd4cc 100644
> --- a/drivers/android/binder/node.rs
> +++ b/drivers/android/binder/node.rs
> @@ -333,6 +333,10 @@ pub(crate) fn add_death(
>          death: ListArc<DTRWrap<NodeDeath>, 1>,
>          guard: &mut Guard<'_, ProcessInner, SpinLockBackend>,
>      ) {
> +        assert!(
> +            core::ptr::eq(self, &**death.node),
> +            "attempt to add NodeDeath to the wrong death list"
> +        );

I think having a `debug_assert!` should be fine. That's also your suggestion in
the GH issue link above.

Thanks,
Onur

>          self.inner.access_mut(guard).death_list.push_back(death);
>      }
>  
> 
> base-commit: 287afdc7671a03081f48f3407bc59862c202bd4b
> -- 
> 2.47.3
>