binder: fix memory leak in error path (524ad00e) · Commits · e / devices / android_kernel_xiaomi_nabu

commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by:

<syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com> Signed-off-by:

Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/android/binder.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -3936,6 +3936,8 @@ static int binder_thread_read(struct binder_proc *proc,
		case BINDER_WORK_TRANSACTION_COMPLETE: {
		binder_inner_proc_unlock(proc);
		cmd = BR_TRANSACTION_COMPLETE;
		kfree(w);
		binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
		if (put_user(cmd, (uint32_t __user *)ptr))
		return -EFAULT;
		ptr += sizeof(uint32_t);
		@@ -3944,8 +3946,6 @@ static int binder_thread_read(struct binder_proc *proc,
		binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
		"%d:%d BR_TRANSACTION_COMPLETE\n",
		proc->pid, thread->pid);
		kfree(w);
		binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
		} break;
		case BINDER_WORK_NODE: {
		struct binder_node *node = container_of(w, struct binder_node, work);