Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

binder: fix memory corruption in binder_transaction binder

commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.

So, dequeue it before freeing.

Fixes: 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe")
Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xu YiPing 8 years ago
parent
52b81611f2
commit
d53bebdf4d
1 changed files with 1 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      drivers/android/binder.c

+ 1 - 0
drivers/android/binder.c
View File 

@@ -3082,6 +3082,7 @@ static void binder_transaction(struct binder_proc *proc,
 
 err_dead_proc_or_thread:
 
 	return_error = BR_DEAD_REPLY;
 
 	return_error_line = __LINE__;
 
+	binder_dequeue_work(proc, tcomplete);
 
 err_translate_failed:
 
 err_bad_object_type:
 
 err_bad_offset: