diff options
author | Todd Kjos <tkjos@android.com> | 2019-06-21 10:54:15 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-14 08:11:21 +0200 |
commit | 524ad00e80b7b1138e933a3dc62e67cb25baadc6 (patch) | |
tree | 826a781578ed2d53d56222012daacab0220b0b63 /drivers/android | |
parent | 294b893a41cd031394d734524bc1eebbef0707cd (diff) | |
download | linux-stable-524ad00e80b7b1138e933a3dc62e67cb25baadc6.tar.gz linux-stable-524ad00e80b7b1138e933a3dc62e67cb25baadc6.tar.bz2 linux-stable-524ad00e80b7b1138e933a3dc62e67cb25baadc6.zip |
binder: fix memory leak in error path
commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream.
syzkallar found a 32-byte memory leak in a rarely executed error
case. The transaction complete work item was not freed if put_user()
failed when writing the BR_TRANSACTION_COMPLETE to the user command
buffer. Fixed by freeing it before put_user() is called.
Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
-rw-r--r-- | drivers/android/binder.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index ce0e4d317d24..5d67f5fec6c1 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3936,6 +3936,8 @@ retry: case BINDER_WORK_TRANSACTION_COMPLETE: { binder_inner_proc_unlock(proc); cmd = BR_TRANSACTION_COMPLETE; + kfree(w); + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); if (put_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); @@ -3944,8 +3946,6 @@ retry: binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, "%d:%d BR_TRANSACTION_COMPLETE\n", proc->pid, thread->pid); - kfree(w); - binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); } break; case BINDER_WORK_NODE: { struct binder_node *node = container_of(w, struct binder_node, work); |