diff options
author | Todd Kjos <tkjos@android.com> | 2019-06-21 10:54:15 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-22 11:49:16 +0200 |
commit | 1909a671dbc3606685b1daf8b22a16f65ea7edda (patch) | |
tree | e3fe8453fc0122847fc8b7fba6505658d595a310 /drivers/android | |
parent | 21f010b110c58f4e77d5a35244f42169c8d33e9a (diff) | |
download | lwn-1909a671dbc3606685b1daf8b22a16f65ea7edda.tar.gz lwn-1909a671dbc3606685b1daf8b22a16f65ea7edda.zip |
binder: fix memory leak in error path
syzkallar found a 32-byte memory leak in a rarely executed error
case. The transaction complete work item was not freed if put_user()
failed when writing the BR_TRANSACTION_COMPLETE to the user command
buffer. Fixed by freeing it before put_user() is called.
Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
-rw-r--r-- | drivers/android/binder.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 748ac489ef7e..8b108e9b31cc 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -4256,6 +4256,8 @@ retry: case BINDER_WORK_TRANSACTION_COMPLETE: { binder_inner_proc_unlock(proc); cmd = BR_TRANSACTION_COMPLETE; + kfree(w); + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); if (put_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); @@ -4264,8 +4266,6 @@ retry: binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, "%d:%d BR_TRANSACTION_COMPLETE\n", proc->pid, thread->pid); - kfree(w); - binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); } break; case BINDER_WORK_NODE: { struct binder_node *node = container_of(w, struct binder_node, work); |