Re: [PATCH v2] rust_binder: add ownership assertion to Node::add_death
From: Alice Ryhl
Date: Thu Jun 11 2026 - 03:53:00 EST
On Wed, Jun 10, 2026 at 09:32:39AM -0400, Georgios Androutsopoulos wrote:
> The `// SAFETY:` comment in NodeDeath::set_cleared assumes that a
> NodeDeath is never inserted into the death list of any Node other than
> its owner. However, this invariant is not enforced by the safe function
> Node::add_death, which inserts NodeDeath into the death list without
> checking that death.node == self, leaving a risk for future code that
> may miss this implicit invariant and cause undefined behavior.
>
> Add an assertion to make this precondition explicit and catch potential
> violations early.
>
> Link: https://github.com/Rust-for-Linux/linux/issues/1237
>
> Signed-off-by: Georgios Androutsopoulos <georgeandrout13@xxxxxxxxx>
> ---
> Changes in v2:
> - Replace assert!() with pr_warn() + debug_assert() following
> feedback from Onur Özkan and Miguel Ojeda.
>
> Link to v1: https://lore.kernel.org/rust-for-linux/20260610035544.3333022-1-georgeandrout13@xxxxxxxxx/
> ---
> drivers/android/binder/node.rs | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/android/binder/node.rs b/drivers/android/binder/node.rs
> index 69f757ff7461..425076405e1e 100644
> --- a/drivers/android/binder/node.rs
> +++ b/drivers/android/binder/node.rs
> @@ -333,6 +333,11 @@ pub(crate) fn add_death(
> death: ListArc<DTRWrap<NodeDeath>, 1>,
> guard: &mut Guard<'_, ProcessInner, SpinLockBackend>,
> ) {
> + let is_valid = core::ptr::eq(self, &**death.node);
> + if !is_valid {
> + pr_warn!("attempt to add NodeDeath to the wrong death list\n");
> + }
> + debug_assert!(is_valid);
If this assertion fails we should not continue. Either use a full panic,
or do a warn_on! and return without adding it.
Alice