Re: [PATCH v2] rust_binder: add ownership assertion to Node::add_death

[Alice Ryhl <aliceryhl@google.com>]

On Wed, Jun 10, 2026 at 09:32:39AM -0400, Georgios Androutsopoulos wrote:
> The `// SAFETY:` comment in NodeDeath::set_cleared assumes that a
> NodeDeath is never inserted into the death list of any Node other than
> its owner. However, this invariant is not enforced by the safe function
> Node::add_death, which inserts NodeDeath into the death list without
> checking that death.node == self, leaving a risk for future code that
> may miss this implicit invariant and cause undefined behavior.
> 
> Add an assertion to make this precondition explicit and catch potential
> violations early.
> 
> Link: https://github.com/Rust-for-Linux/linux/issues/1237
> 
> Signed-off-by: Georgios Androutsopoulos <georgeandrout13@gmail.com>
> ---
> Changes in v2:
> - Replace assert!() with pr_warn() + debug_assert() following
>   feedback from Onur Özkan and Miguel Ojeda.
> 
> Link to v1: https://lore.kernel.org/rust-for-linux/20260610035544.3333022-1-georgeandrout13@gmail.com/
> ---
>  drivers/android/binder/node.rs | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/android/binder/node.rs b/drivers/android/binder/node.rs
> index 69f757ff7461..425076405e1e 100644
> --- a/drivers/android/binder/node.rs
> +++ b/drivers/android/binder/node.rs
> @@ -333,6 +333,11 @@ pub(crate) fn add_death(
>          death: ListArc<DTRWrap<NodeDeath>, 1>,
>          guard: &mut Guard<'_, ProcessInner, SpinLockBackend>,
>      ) {
> +        let is_valid = core::ptr::eq(self, &**death.node);
> +        if !is_valid {
> +            pr_warn!("attempt to add NodeDeath to the wrong death list\n");
> +        }
> +        debug_assert!(is_valid);

If this assertion fails we should not continue. Either use a full panic,
or do a warn_on! and return without adding it.

Alice