From: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed, 15 Aug 2012 22:23:36 +0000 (-0400)
Subject: binder: don't allow mmap() by process other than proc->tsk
X-Git-Tag: upstream/snapshot3+hdmi~6554^2~67
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a79f41ed9786b75ebe75e52295ad54049b8551b6;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

binder: don't allow mmap() by process other than proc->tsk

we really shouldn't do get_files_struct() on a different process
and use it to modify the sucker later on.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---

diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index 574e992..b9a534c 100644
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -2793,6 +2793,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
 	const char *failure_string;
 	struct binder_buffer *buffer;
 
+	if (proc->tsk != current)
+		return -EINVAL;
+
 	if ((vma->vm_end - vma->vm_start) > SZ_4M)
 		vma->vm_end = vma->vm_start + SZ_4M;
 
@@ -2857,7 +2860,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
 	binder_insert_free_buffer(proc, buffer);
 	proc->free_async_space = proc->buffer_size / 2;
 	barrier();
-	proc->files = get_files_struct(proc->tsk);
+	proc->files = get_files_struct(current);
 	proc->vma = vma;
 	proc->vma_vm_mm = vma->vm_mm;