[ There needs to be a dedicated mailing list for this. Picking up
patches using lkml and lei is new age voodoo nonsense. Or it might
work fine. Wouldn't it be funny if Lei sent this to all the correct
people and they all mocked me for being out of touch with new
technology. (0_0) -dan ]
Hello Carlos Llamas,
The patch 9474be34a727: "binder: add failed transaction logging info"
from Apr 29, 2022, leads to the following Smatch static checker
warning:
drivers/android/binder.c:3562 binder_transaction() error: dereferencing freed memory 'target_proc'
drivers/android/binder.c:3563 binder_transaction() error: dereferencing freed memory 'target_thread'
drivers/android/binder.c
3538 err_alloc_tcomplete_failed:
3539 if (trace_binder_txn_latency_free_enabled())
3540 binder_txn_latency_free(t);
3541 kfree(t);
3542 binder_stats_deleted(BINDER_STAT_TRANSACTION);
3543 err_alloc_t_failed:
3544 err_bad_todo_list:
3545 err_bad_call_stack:
3546 err_empty_call_stack:
3547 err_dead_binder:
3548 err_invalid_target_handle:
3549 if (target_thread)
3550 binder_thread_dec_tmpref(target_thread);
^^^^^^^^^^^^^
Maybe freed.
3551 if (target_proc)
3552 binder_proc_dec_tmpref(target_proc);
^^^^^^^^^^^
Potentially freed here
3553 if (target_node) {
3554 binder_dec_node(target_node, 1, 0);
3555 binder_dec_node_tmpref(target_node);
3556 }
3557
3558 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
3559 "%d:%d transaction %s to %d:%d failed %d/%d/%d, size %lld-%lld line %d\n",
3560 proc->pid, thread->pid, reply ? "reply" :
3561 (tr->flags & TF_ONE_WAY ? "async" : "call"),
--> 3562 target_proc ? target_proc->pid : 0,
^^^^^^^^^^^^^^^^
Dereferenced
3563 target_thread ? target_thread->pid : 0,
3564 t_debug_id, return_error, return_error_param,
3565 (u64)tr->data_size, (u64)tr->offsets_size,
3566 return_error_line);
3567
3568 {
3569 struct binder_transaction_log_entry *fe;
3570
3571 e->return_error = return_error;
3572 e->return_error_param = return_error_param;
regards,
dan carpenter
