Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752850AbdIERWP (ORCPT ); Tue, 5 Sep 2017 13:22:15 -0400 Received: from mail-pg0-f53.google.com ([74.125.83.53]:35496 "EHLO mail-pg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752792AbdIERWC (ORCPT ); Tue, 5 Sep 2017 13:22:02 -0400 X-Google-Smtp-Source: ADKCNb4haMPuG5mlZlRT05fqDMajaERI23X3WFnRREoKc0XKDowILh11ntowp/7D7Kdj03FoVtSGag== From: Todd Kjos X-Google-Original-From: Todd Kjos To: gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, tkjos@google.com, xuyiping@hisilicon.com, gengyanping@hisilicon.com, shiwanglai@hisilicon.com Subject: [PATCH] binder: fix memory corruption in binder_transaction binder Date: Tue, 5 Sep 2017 10:21:52 -0700 Message-Id: <20170905172152.36227-1-tkjos@google.com> X-Mailer: git-send-email 2.14.1.581.gf28d330327-goog Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1013 Lines: 30 From: Xu YiPing commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe") made a change to enqueue tcomplete to thread->todo before enqueuing the transaction. However, in err_dead_proc_or_thread case, the tcomplete is directly freed, without dequeued. It may cause the thread->todo list to be corrupted. So, dequeue it before freeing. Signed-off-by: Xu YiPing Signed-off-by: Todd Kjos --- drivers/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d055b3f2a207..96cc28afa383 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3083,6 +3083,7 @@ static void binder_transaction(struct binder_proc *proc, err_dead_proc_or_thread: return_error = BR_DEAD_REPLY; return_error_line = __LINE__; + binder_dequeue_work(proc, tcomplete); err_translate_failed: err_bad_object_type: err_bad_offset: -- 2.14.1.581.gf28d330327-goog