linux/drivers/android
Xu YiPing d53bebdf4d binder: fix memory corruption in binder_transaction binder
commit 7a4408c6bd ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.

So, dequeue it before freeing.

Fixes: 7a4408c6bd ("binder: make sure accesses to proc/thread are safe")
Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-18 16:06:00 +02:00
..
Kconfig android: binder: Add allocator selftest 2017-08-28 16:47:17 +02:00
Makefile android: binder: Add allocator selftest 2017-08-28 16:47:17 +02:00
binder.c binder: fix memory corruption in binder_transaction binder 2017-09-18 16:06:00 +02:00
binder_alloc.c android: binder: Add page usage in binder stats 2017-09-01 08:53:32 +02:00
binder_alloc.h android: binder: Add page usage in binder stats 2017-09-01 08:53:32 +02:00
binder_alloc_selftest.c android: binder: Add global lru shrinker to binder 2017-08-28 16:47:17 +02:00
binder_trace.h android: binder: Add shrinker tracepoints 2017-08-28 16:47:17 +02:00