Commit d53bebdf authored by Xu YiPing's avatar Xu YiPing Committed by Greg Kroah-Hartman

binder: fix memory corruption in binder_transaction binder

commit 7a4408c6 ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.

So, dequeue it before freeing.

Fixes: 7a4408c6 ("binder: make sure accesses to proc/thread are safe")
Signed-off-by: default avatarXu YiPing <xuyiping@hisilicon.com>
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 52b81611
...@@ -3082,6 +3082,7 @@ static void binder_transaction(struct binder_proc *proc, ...@@ -3082,6 +3082,7 @@ static void binder_transaction(struct binder_proc *proc,
err_dead_proc_or_thread: err_dead_proc_or_thread:
return_error = BR_DEAD_REPLY; return_error = BR_DEAD_REPLY;
return_error_line = __LINE__; return_error_line = __LINE__;
binder_dequeue_work(proc, tcomplete);
err_translate_failed: err_translate_failed:
err_bad_object_type: err_bad_object_type:
err_bad_offset: err_bad_offset:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment