From 04738f5b0769f761f4a4c1522f40927117439611 Mon Sep 17 00:00:00 2001
From: Benedict Wong <benedictwong@google.com>
Date: Thu, 28 Feb 2019 20:28:48 -0800
Subject: [PATCH] Fix remove-before-add for IpSecService RefcountedResource

This patch fixes a bug where if a binder dies before the linkToDeath
call, the cleanup will be performed before the entry is added to the
array. While it is safe in that quotas and tracking performs as per
normal, the RefcountedRecord may not be cleaned up.

Rethrowing this exception is safe, since the only paths that would hit
this are all on binder threads coming from applications. Further, it
seems there is only one real way of this getting hit - if the app that
called the creation died during the binder call.

Bug: 126802451
Test: Compiled, CTS tests passing
Change-Id: I6db75853da9f29e1573512e26351623f22770c5d
---
 services/core/java/com/android/server/IpSecService.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 126bf65565..fc7fe5ea56 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -207,6 +207,7 @@ public class IpSecService extends IIpSecService.Stub {
                     mBinder.linkToDeath(this, 0);
                 } catch (RemoteException e) {
                     binderDied();
+                    e.rethrowFromSystemServer();
                 }
             }
         }