From 5dca02f2ee931aef66bb21dd8067c8b1af1e0d3e Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 8 May 2024 05:21:31 +0200
Subject: Merging upstream version 4.19.260.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 drivers/android/binder.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'drivers/android/binder.c')

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 35c13be4a..3e57d5682 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1809,6 +1809,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc,
 	}
 	ret = binder_inc_ref_olocked(ref, strong, target_list);
 	*rdata = ref->data;
+	if (ret && ref == new_ref) {
+		/*
+		 * Cleanup the failed reference here as the target
+		 * could now be dead and have already released its
+		 * references by now. Calling on the new reference
+		 * with strong=0 and a tmp_refs will not decrement
+		 * the node. The new_ref gets kfree'd below.
+		 */
+		binder_cleanup_ref_olocked(new_ref);
+		ref = NULL;
+	}
+
 	binder_proc_unlock(proc);
 	if (new_ref && ref != new_ref)
 		/*
-- 
cgit v1.2.3