From: Xu YiPing <xuyiping@hisilicon.com>
Date: Mon, 22 May 2017 18:26:23 +0000 (-0700)
Subject: FROMLIST: binder: fix memory corruption in binder_transaction binder
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c90ac0e20921c055f97bdcadacf3de590db3c058;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git

FROMLIST: binder: fix memory corruption in binder_transaction binder

(from https://patchwork.kernel.org/patch/9939405/)

commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.

So, dequeue it before freeing.

Bug: 65333488
Change-Id: Id063a4db18deaa634f4d44aa6ebca47bea32537a
Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
---

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 47d5f77772b..a4a94831d55 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3260,6 +3260,7 @@ static void binder_transaction(struct binder_proc *proc,
 err_dead_proc_or_thread:
 	return_error = BR_DEAD_REPLY;
 	return_error_line = __LINE__;
+	binder_dequeue_work(proc, tcomplete);
 err_translate_failed:
 err_bad_object_type:
 err_bad_offset: