[PATCH 3/3] rust_binder: check current before closing fds

Next message: Eric Engestrom: "[PATCH] drm/doc: recommend forking drm/kernel rather than uploading a distinct copy"
Previous message: Alice Ryhl: "[PATCH 2/3] rust: task: implement == operator for Task"
In reply to: Gary Guo: "Re: [PATCH 2/3] rust: task: implement == operator for Task"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alice Ryhl

Date: Thu Feb 19 2026 - 08:54:06 EST

This list gets populated once the transaction is delivered to the target
process, at which point it's not touched again except in BC_FREE_BUFFER
and process exit, so if the list has been populated then this code
should not run in the context of the wrong userspace process.

However, why tempt fate? The function itself can run in the context of
both the sender and receiver, and if someone can engineer a scenario
where it runs in the sender and this list is non-empty (or future Rust
Binder changes make such a scenario possible), then that'd be a problem
because we'd be closing random unrelated fds in the wrong process.

Suggested-by: Jann Horn <jannh@xxxxxxxxxx>
Signed-off-by: Alice Ryhl <aliceryhl@xxxxxxxxxx>
---
drivers/android/binder/allocation.rs | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/android/binder/allocation.rs b/drivers/android/binder/allocation.rs
index 7f65a9c3a0e58e07a7e6d4e7d7b185f73fb1aab8..31a42738a99dd8118c21bb15635f54ddd748787e 100644
--- a/drivers/android/binder/allocation.rs
+++ b/drivers/android/binder/allocation.rs
@@ -260,6 +260,10 @@ fn drop(&mut self) {
}
}

+ if self.process.task != kernel::current!().group_leader() {
+ // Called from wrong task, so do not free fds.
+ info.file_list.close_on_free.clear();
+ }
for &fd in &info.file_list.close_on_free {
let closer = match DeferredFdCloser::new(GFP_KERNEL) {
Ok(closer) => closer,

--
2.53.0.335.g19a08e0c02-goog