binder: fix memory leak in error path (1909a671) · Commits · 戴 / test

syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by:

<syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com> Signed-off-by:

Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/android/binder.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -4256,6 +4256,8 @@ retry:
		case BINDER_WORK_TRANSACTION_COMPLETE: {
		binder_inner_proc_unlock(proc);
		cmd = BR_TRANSACTION_COMPLETE;
		kfree(w);
		binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
		if (put_user(cmd, (uint32_t __user *)ptr))
		return -EFAULT;
		ptr += sizeof(uint32_t);
		@@ -4264,8 +4266,6 @@ retry:
		binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
		"%d:%d BR_TRANSACTION_COMPLETE\n",
		proc->pid, thread->pid);
		kfree(w);
		binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
		} break;
		case BINDER_WORK_NODE: {
		struct binder_node *node = container_of(w, struct binder_node, work);

Admin message