binder: fix memory corruption in binder_transaction binder

commit 7a4408c6 ("binder: make sure accesses to proc/thread are safe") made a change to enqueue tcomplete to thread->todo before enqueuing the transaction. However, in err_dead_proc_or_thread case, the tcomplete is directly freed, without dequeued. It may cause the thread->todo list to be corrupted. So, dequeue it before freeing. Fixes: 7a4408c6 ("binder: make sure accesses to proc/thread are safe") Signed-off-by: N Xu YiPing <xuyiping@hisilicon.com> Signed-off-by: N Todd Kjos <tkjos@google.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

binder: fix memory corruption in binder_transaction binder
commit 7a4408c6 ("binder: make sure accesses to proc/thread are safe") made a change to enqueue tcomplete to thread->todo before enqueuing the transaction. However, in err_dead_proc_or_thread case, the tcomplete is directly freed, without dequeued. It may cause the thread->todo list to be corrupted. So, dequeue it before freeing. Fixes: 7a4408c6 ("binder: make sure accesses to proc/thread are safe") Signed-off-by: N Xu YiPing <xuyiping@hisilicon.com> Signed-off-by: N Todd Kjos <tkjos@google.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
d53bebdf · Xu YiPing · Greg Kroah-Hartman · 52b81611 · d53bebdf
显示空白变更内容
内联并排

Showing with 1 addition and 0 deletion

drivers/android/binder.c drivers/android/binder.c +1 -0

未找到文件。
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3082,6 +3082,7 @@ static void binder_transaction(struct binder_proc *proc,
 err_dead_proc_or_thread:
 	return_error = BR_DEAD_REPLY;
 	return_error_line = __LINE__;
+	binder_dequeue_work(proc, tcomplete);
 err_translate_failed:
 err_bad_object_type:
 err_bad_offset: