Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp843034ybi; Fri, 12 Jul 2019 05:34:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqzH7HTwISoVvG86NdUj+yxu8E6JBqyqAOuZOJdGstFrVzgmUWenGlES5oHy0tcEmwQ70HQk X-Received: by 2002:a63:6904:: with SMTP id e4mr10480770pgc.321.1562934852949; Fri, 12 Jul 2019 05:34:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562934852; cv=none; d=google.com; s=arc-20160816; b=HMRepo6C6fFEF1ajaoyofsSaPMQokdsdWss6ku7M3GxMQ9JgO7GENOqGstd2Q7QB+P nBq57j8GudneMjajm2pPLDneZiCdL0VBcrS7UomwbREHSBkH4U5O8vcnHRVs1D1TjCpI KepxAtrGaAYqOgMAKTGrTZXAV53XTnE0brhIXK+30oFNNFPWSsncztiugIvZG5ZiFVzp xawLWBMNBlT5YZqgr3UnrAoHGyAE8EDRhIl+DKxckVHow0sqf1HOheDYulPH1CTVOtzf H/VFCkRV7439TnaKtaLPclKWXyytQUHbfgsPPZHOsKPjMC80gRMRhM74swzQ86kP3Xts 0/bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JEe4czy5wdD68xATLANS2vRKaBu+esHE7NIs1JzCtyA=; b=BJh22ZfNLLNriFtAV0BycpAQP1Sey2Yr/dTaBnaE2d1XJqJ5P10AiqzAcM79ep3sVc 5qWS4xreV4rzmsvZhH3V3UJHLwUdvxOfBx8JWh7r2ss+SHz6zQ+FeCQnZ48lu1pk1bqd 6Xn1HfFF53pZaPZkoUBfgsXW1zkD4CQks+B1o7UVfUXz7C4s38RPIfukZ7+y9VTAzO9c 8ot1is+pOQAdK0QFYe7+zyGBZZI8EFtyBmLyk3bMwrxv93mbERjA580oH7KN3gispORV Rl8K4J6kidGX/DFb+0hu0eom8wkj4Mi0CvB4bU6rgxy4195HhIfXIbfVpmmm+KoJdTiI xWQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=knSdtgxz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m129si8564573pfm.15.2019.07.12.05.33.57; Fri, 12 Jul 2019 05:34:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=knSdtgxz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729356AbfGLMbs (ORCPT + 99 others); Fri, 12 Jul 2019 08:31:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:48764 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727603AbfGLMbq (ORCPT ); Fri, 12 Jul 2019 08:31:46 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 889E121019; Fri, 12 Jul 2019 12:31:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562934705; bh=2UB7NHElc5e3ubkFiiIstTcEaan7t9U1hELRnX40JlE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=knSdtgxzX3aKbBqrj50xtSNVr88g7BljCPn/5k3uPPexpMJwPxx5NU+nGIPXb6wjB krQvPD8B/jnqjalmeIu+2reYeWErDsvlvP5/8KdNtLdQY0YJYw64702R/UHXZwbU9k pp9/ayzWeQcWnNrDUoCSX/2vcfWcEUZC3rIyuo4U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com, Todd Kjos Subject: [PATCH 5.1 125/138] binder: fix memory leak in error path Date: Fri, 12 Jul 2019 14:19:49 +0200 Message-Id: <20190712121633.533436037@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190712121628.731888964@linuxfoundation.org> References: <20190712121628.731888964@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Todd Kjos commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com Signed-off-by: Todd Kjos Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -4267,6 +4267,8 @@ retry: case BINDER_WORK_TRANSACTION_COMPLETE: { binder_inner_proc_unlock(proc); cmd = BR_TRANSACTION_COMPLETE; + kfree(w); + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); if (put_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); @@ -4275,8 +4277,6 @@ retry: binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, "%d:%d BR_TRANSACTION_COMPLETE\n", proc->pid, thread->pid); - kfree(w); - binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); } break; case BINDER_WORK_NODE: { struct binder_node *node = container_of(w, struct binder_node, work);