The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH] binder: free fd fixups on superseded transaction teardown
@ 2026-06-19 22:01 Tristan Madani
  2026-06-23  7:18 ` Alice Ryhl
  2026-06-25  0:47 ` Carlos Llamas
  0 siblings, 2 replies; 3+ messages in thread
From: Tristan Madani @ 2026-06-19 22:01 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Carlos Llamas, Todd Kjos
  Cc: Arve Hjønnevåg, Martijn Coenen, Joel Fernandes,
	Christian Brauner, Suren Baghdasaryan, Li Li, linux-kernel,
	stable, Tristan Madani

From: Tristan Madani <tristan@talencesecurity.com>

When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
transaction, the outdated transaction is freed with kfree() but its
fd_fixups list is not cleaned up first.  Each binder_txn_fd_fixup on
the list holds a reference to a struct file (from fget in the sender
path) that is never released.

All other transaction teardown paths (binder_free_transaction and the
error paths in binder_transaction) correctly call
binder_free_txn_fixups() before freeing.  Apply the same cleanup to
the t_outdated teardown path.

Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 drivers/android/binder.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 5fc2c8ee61b1..955bdfb4d907 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2920,6 +2920,7 @@ static int binder_proc_transaction(struct binder_transaction *t,
 		trace_binder_transaction_update_buffer_release(buffer);
 		binder_release_entire_buffer(proc, NULL, buffer, false);
 		binder_alloc_free_buf(&proc->alloc, buffer);
+		binder_free_txn_fixups(t_outdated);
 		kfree(t_outdated);
 		binder_stats_deleted(BINDER_STAT_TRANSACTION);
 	}
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] binder: free fd fixups on superseded transaction teardown
  2026-06-19 22:01 [PATCH] binder: free fd fixups on superseded transaction teardown Tristan Madani
@ 2026-06-23  7:18 ` Alice Ryhl
  2026-06-25  0:47 ` Carlos Llamas
  1 sibling, 0 replies; 3+ messages in thread
From: Alice Ryhl @ 2026-06-23  7:18 UTC (permalink / raw)
  To: Tristan Madani
  Cc: Greg Kroah-Hartman, Carlos Llamas, Todd Kjos,
	Arve Hjønnevåg, Martijn Coenen, Joel Fernandes,
	Christian Brauner, Suren Baghdasaryan, Li Li, linux-kernel,
	stable, Tristan Madani

On Fri, Jun 19, 2026 at 10:01:41PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
> 
> When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
> transaction, the outdated transaction is freed with kfree() but its
> fd_fixups list is not cleaned up first.  Each binder_txn_fd_fixup on
> the list holds a reference to a struct file (from fget in the sender
> path) that is never released.
> 
> All other transaction teardown paths (binder_free_transaction and the
> error paths in binder_transaction) correctly call
> binder_free_txn_fixups() before freeing.  Apply the same cleanup to
> the t_outdated teardown path.
> 
> Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>

Seems reasonable to me.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] binder: free fd fixups on superseded transaction teardown
  2026-06-19 22:01 [PATCH] binder: free fd fixups on superseded transaction teardown Tristan Madani
  2026-06-23  7:18 ` Alice Ryhl
@ 2026-06-25  0:47 ` Carlos Llamas
  1 sibling, 0 replies; 3+ messages in thread
From: Carlos Llamas @ 2026-06-25  0:47 UTC (permalink / raw)
  To: Tristan Madani
  Cc: Greg Kroah-Hartman, Todd Kjos, Arve Hjønnevåg,
	Martijn Coenen, Joel Fernandes, Christian Brauner,
	Suren Baghdasaryan, Li Li, linux-kernel, stable, Tristan Madani

On Fri, Jun 19, 2026 at 10:01:41PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
> 
> When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
> transaction, the outdated transaction is freed with kfree() but its
> fd_fixups list is not cleaned up first.  Each binder_txn_fd_fixup on
> the list holds a reference to a struct file (from fget in the sender
> path) that is never released.
> 
> All other transaction teardown paths (binder_free_transaction and the
> error paths in binder_transaction) correctly call
> binder_free_txn_fixups() before freeing.  Apply the same cleanup to
> the t_outdated teardown path.
> 
> Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
>  drivers/android/binder.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 5fc2c8ee61b1..955bdfb4d907 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2920,6 +2920,7 @@ static int binder_proc_transaction(struct binder_transaction *t,
>  		trace_binder_transaction_update_buffer_release(buffer);
>  		binder_release_entire_buffer(proc, NULL, buffer, false);
>  		binder_alloc_free_buf(&proc->alloc, buffer);
> +		binder_free_txn_fixups(t_outdated);
>  		kfree(t_outdated);
>  		binder_stats_deleted(BINDER_STAT_TRANSACTION);
>  	}
> -- 
> 2.47.3
> 

Thanks Tristan,

Acked-by: Carlos Llamas <cmllamas@google.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-25  0:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-19 22:01 [PATCH] binder: free fd fixups on superseded transaction teardown Tristan Madani
2026-06-23  7:18 ` Alice Ryhl
2026-06-25  0:47 ` Carlos Llamas

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox