Carlos Llamas
unread,Sep 28, 2023, 5:47:11 AM9/28/23Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Greg Kroah-Hartman, Arve Hjønnevåg, Todd Kjos, Martijn Coenen, Joel Fernandes, Christian Brauner, Carlos Llamas, Suren Baghdasaryan, Hang Lu, linux-...@vger.kernel.org, kerne...@android.com, syzkall...@googlegroups.com, sta...@vger.kernel.org, syzbot+7f10c1...@syzkaller.appspotmail.com, Todd Kjos
A transaction complete work is allocated and queued for each
transaction. Under certain conditions the work->type might be marked as
BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT to notify userspace about
potential spamming threads.
However, this work->type is not being handled in binder_release_work()
so it will leak during a clean up. This was reported by syzkaller with
the following kmemleak dump:
BUG: memory leak
unreferenced object 0xffff88810e2d6de0 (size 32):
comm "syz-executor338", pid 5046, jiffies 4294968230 (age 13.590s)
hex dump (first 32 bytes):
e0 6d 2d 0e 81 88 ff ff e0 6d 2d 0e 81 88 ff ff .m-......m-.....
04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81573b75>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff83d41873>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff83d41873>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83d41873>] binder_transaction+0x573/0x4050 drivers/android/binder.c:3152
[<ffffffff83d45a05>] binder_thread_write+0x6b5/0x1860 drivers/android/binder.c:4010
[<ffffffff83d486dc>] binder_ioctl_write_read drivers/android/binder.c:5066 [inline]
[<ffffffff83d486dc>] binder_ioctl+0x1b2c/0x3cf0 drivers/android/binder.c:5352
[<ffffffff816b25f2>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff816b25f2>] __do_sys_ioctl fs/ioctl.c:871 [inline]
[<ffffffff816b25f2>] __se_sys_ioctl fs/ioctl.c:857 [inline]
[<ffffffff816b25f2>] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:857
[<ffffffff84b30008>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b30008>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix the leak by kfreeing this work in binder_release_work().
Cc:
sta...@vger.kernel.org
Fixes: a7dc1e6f99df ("binder: tell userspace to dump current backtrace when detected oneway spamming")
Reported-by:
syzbot+7f10c1...@syzkaller.appspotmail.com
Closes:
https://syzkaller.appspot.com/bug?extid=7f10c1653e35933c0f1e
Signed-off-by: Carlos Llamas <
cmll...@google.com>
---
drivers/android/binder.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 367afac5f1bf..d7aa561f4ef2 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4831,6 +4831,9 @@ static void binder_release_work(struct binder_proc *proc,
} break;
case BINDER_WORK_NODE:
break;
+ case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT:
+ kfree(w);
+ break;
default:
pr_err("unexpected work type, %d, not freed\n",
wtype);
--
2.42.0.515.g380fc7ccd1-goog