Commit 93a260f1 authored by Todd Kjos's avatar Todd Kjos Committed by Greg Kroah-Hartman

binder: fix memory leak in error path

commit 1909a671 upstream.

syzkallar found a 32-byte memory leak in a rarely executed error
case. The transaction complete work item was not freed if put_user()
failed when writing the BR_TRANSACTION_COMPLETE to the user command
buffer. Fixed by freeing it before put_user() is called.

Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent cd05fb74
...@@ -4267,6 +4267,8 @@ static int binder_thread_read(struct binder_proc *proc, ...@@ -4267,6 +4267,8 @@ static int binder_thread_read(struct binder_proc *proc,
case BINDER_WORK_TRANSACTION_COMPLETE: { case BINDER_WORK_TRANSACTION_COMPLETE: {
binder_inner_proc_unlock(proc); binder_inner_proc_unlock(proc);
cmd = BR_TRANSACTION_COMPLETE; cmd = BR_TRANSACTION_COMPLETE;
kfree(w);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
if (put_user(cmd, (uint32_t __user *)ptr)) if (put_user(cmd, (uint32_t __user *)ptr))
return -EFAULT; return -EFAULT;
ptr += sizeof(uint32_t); ptr += sizeof(uint32_t);
...@@ -4275,8 +4277,6 @@ static int binder_thread_read(struct binder_proc *proc, ...@@ -4275,8 +4277,6 @@ static int binder_thread_read(struct binder_proc *proc,
binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
"%d:%d BR_TRANSACTION_COMPLETE\n", "%d:%d BR_TRANSACTION_COMPLETE\n",
proc->pid, thread->pid); proc->pid, thread->pid);
kfree(w);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
} break; } break;
case BINDER_WORK_NODE: { case BINDER_WORK_NODE: {
struct binder_node *node = container_of(w, struct binder_node, work); struct binder_node *node = container_of(w, struct binder_node, work);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment