--- x/drivers/android/binder.c
+++ y/drivers/android/binder.c
@@ -1131,6 +1131,7 @@ static struct binder_ref *binder_get_ref
 	struct binder_ref *ref;
 	struct rb_node *parent;
 	struct rb_node **p;
+	struct rb_node **p0, *pa0;
 	u32 desc;
 
 retry:
@@ -1147,6 +1148,8 @@ retry:
 		else
 			return ref;
 	}
+	p0 = p;
+	pa0 = parent;
 	if (!new_ref)
 		return NULL;
 
@@ -1158,11 +1161,10 @@ retry:
 	new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
 	new_ref->proc = proc;
 	new_ref->node = node;
-	rb_link_node(&new_ref->rb_node_node, parent, p);
-	rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
 
 	new_ref->data.desc = desc;
 	p = &proc->refs_by_desc.rb_node;
+	parent = NULL;
 	while (*p) {
 		parent = *p;
 		ref = rb_entry(parent, struct binder_ref, rb_node_desc);
@@ -1172,11 +1174,14 @@ retry:
 		else if (new_ref->data.desc > ref->data.desc)
 			p = &(*p)->rb_right;
 		else
-			BUG();
+			return ref;
 	}
 	rb_link_node(&new_ref->rb_node_desc, parent, p);
 	rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
 
+	rb_link_node(&new_ref->rb_node_node, pa0, p0);
+	rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
+
 	binder_node_lock(node);
 	hlist_add_head(&new_ref->node_entry, &node->refs);