Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp851364ybi; Fri, 12 Jul 2019 05:42:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqxmwamh/DqUSThv+hXEcoG6t5vtk4Jx7rPJu8aC8TNmVtvOZUmezdSdPtDqFB1G6fcwt0Fu X-Received: by 2002:a17:902:6a88:: with SMTP id n8mr11307495plk.70.1562935352311; Fri, 12 Jul 2019 05:42:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562935352; cv=none; d=google.com; s=arc-20160816; b=Xpf3s/OvX7Y/0jIRF9SSRlLvka1Y+Vd9JJfz2ULmc2ccsm8KTl3BnpA06I3cE3YkXW ZrqQH+3Au+ej5lOJtcQ/nTl6+FM2IES7xDTrFYe8QTehrwd7FDdKlR26TQhvDwDY8H/a qtJ6UPNQtjmqsa9hR+YzKuHdiK6vjc4FACUP7CKvH9CwNAhX+tOv1fcKfDN32jtKSUKV Cy5FnYszHqlujeirvFdKgiBnrHsUYCKAxC0DcuKE2sLtUWZIEnRXeGtbE6jkSSVFkIPS E/J451zES8H3QzYMFEpKFOQ+JykyZjz936n3rf0VfHYUy59gtP1Yw18tjFomrpmk7YbO e8Gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QMQdj5Z7HM2tzBiJskHoB+Uw1625UZINj2+e8DjohiY=; b=RuTDRtSBzlhBrEisrYWZpRo9SxyKHbqCj0CTwtbwEouxBrVAg8xtmHfGBnoIpp9KOH JufLALQNPKEbceLkqRSPOLo9FmtOTnFdni9FLaTPWHsBuvvKBgmrLMAKKs8jikZfAz68 UspKJ8+yVQQZYTJdGYn8e82hkIklEerpqgJf/P+sZflqopWlcm8X+GKf30QFcZj4lwhz LV34sXkT6//HIgrgrYom783bNM/i+wdYv/h+bp1gfbVt3Sg7KM3A00JJeWBvx+16qTZh GVcuqI9EjDr0HnFT0NW46o71Vt5g4fRb5gIrLXUE+4b/TBLD0qp/R5GFgKOFLx3y/uLP FfEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Dnh91HCg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f10si2407523pjw.89.2019.07.12.05.42.16; Fri, 12 Jul 2019 05:42:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Dnh91HCg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728064AbfGLMYQ (ORCPT + 99 others); Fri, 12 Jul 2019 08:24:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:60378 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728021AbfGLMYE (ORCPT ); Fri, 12 Jul 2019 08:24:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 80F342084B; Fri, 12 Jul 2019 12:24:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562934243; bh=/pzwLKBAff43M8fs3y8Rlov95R2XE42Zl7umpWphhoo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Dnh91HCgJXgDkVqqx8JhLS7R+31w/y3V1RQoJlo+Jr7GwuR51uZJ1M8e+cygzX+Tz Xf/WbFkFqArzgAMPbB/jRc70YQ5ZvMQ5g2NWo7ifxOR/Q3hkDuatv6IvfcqJ+dVMjh 1+31rc9ellTq0dUWKZssfKWC6351A7d31msjf1zw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com, Todd Kjos Subject: [PATCH 4.19 82/91] binder: fix memory leak in error path Date: Fri, 12 Jul 2019 14:19:25 +0200 Message-Id: <20190712121626.177607735@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190712121621.422224300@linuxfoundation.org> References: <20190712121621.422224300@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Todd Kjos commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com Signed-off-by: Todd Kjos Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3936,6 +3936,8 @@ retry: case BINDER_WORK_TRANSACTION_COMPLETE: { binder_inner_proc_unlock(proc); cmd = BR_TRANSACTION_COMPLETE; + kfree(w); + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); if (put_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); @@ -3944,8 +3946,6 @@ retry: binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, "%d:%d BR_TRANSACTION_COMPLETE\n", proc->pid, thread->pid); - kfree(w); - binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); } break; case BINDER_WORK_NODE: { struct binder_node *node = container_of(w, struct binder_node, work);