* [PATCH] binder: free fd fixups on superseded transaction teardown
@ 2026-06-19 22:01 Tristan Madani
2026-06-23 7:18 ` Alice Ryhl
0 siblings, 1 reply; 2+ messages in thread
From: Tristan Madani @ 2026-06-19 22:01 UTC (permalink / raw)
To: Greg Kroah-Hartman, Carlos Llamas, Todd Kjos
Cc: Arve Hjønnevåg, Martijn Coenen, Joel Fernandes,
Christian Brauner, Suren Baghdasaryan, Li Li, linux-kernel,
stable, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
transaction, the outdated transaction is freed with kfree() but its
fd_fixups list is not cleaned up first. Each binder_txn_fd_fixup on
the list holds a reference to a struct file (from fget in the sender
path) that is never released.
All other transaction teardown paths (binder_free_transaction and the
error paths in binder_transaction) correctly call
binder_free_txn_fixups() before freeing. Apply the same cleanup to
the t_outdated teardown path.
Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/android/binder.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 5fc2c8ee61b1..955bdfb4d907 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2920,6 +2920,7 @@ static int binder_proc_transaction(struct binder_transaction *t,
trace_binder_transaction_update_buffer_release(buffer);
binder_release_entire_buffer(proc, NULL, buffer, false);
binder_alloc_free_buf(&proc->alloc, buffer);
+ binder_free_txn_fixups(t_outdated);
kfree(t_outdated);
binder_stats_deleted(BINDER_STAT_TRANSACTION);
}
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] binder: free fd fixups on superseded transaction teardown
2026-06-19 22:01 [PATCH] binder: free fd fixups on superseded transaction teardown Tristan Madani
@ 2026-06-23 7:18 ` Alice Ryhl
0 siblings, 0 replies; 2+ messages in thread
From: Alice Ryhl @ 2026-06-23 7:18 UTC (permalink / raw)
To: Tristan Madani
Cc: Greg Kroah-Hartman, Carlos Llamas, Todd Kjos,
Arve Hjønnevåg, Martijn Coenen, Joel Fernandes,
Christian Brauner, Suren Baghdasaryan, Li Li, linux-kernel,
stable, Tristan Madani
On Fri, Jun 19, 2026 at 10:01:41PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
> transaction, the outdated transaction is freed with kfree() but its
> fd_fixups list is not cleaned up first. Each binder_txn_fd_fixup on
> the list holds a reference to a struct file (from fget in the sender
> path) that is never released.
>
> All other transaction teardown paths (binder_free_transaction and the
> error paths in binder_transaction) correctly call
> binder_free_txn_fixups() before freeing. Apply the same cleanup to
> the t_outdated teardown path.
>
> Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Seems reasonable to me.
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-23 7:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-19 22:01 [PATCH] binder: free fd fixups on superseded transaction teardown Tristan Madani
2026-06-23 7:18 ` Alice Ryhl
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.