Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Staging: android: binder: Fix memory leak on thread/process exit

If a thread or process exited while a reply, one-way transaction or
death notification was pending, the struct holding the pending work
was leaked.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arve Hjønnevåg 12 years ago
parent
922b67c1ac
commit
675d66b0ed
1 changed files with 27 additions and 1 deletions
Split View Show Diff Stats
  1. 27 1
      drivers/staging/android/binder.c

+ 27 - 1
drivers/staging/android/binder.c
View File 

@@ -2419,14 +2419,38 @@ static void binder_release_work(struct list_head *list)
 
 			struct binder_transaction *t;
 
 
 			t = container_of(w, struct binder_transaction, work);
 
-			if (t->buffer->target_node && !(t->flags & TF_ONE_WAY))
 
+			if (t->buffer->target_node &&
 
+			    !(t->flags & TF_ONE_WAY)) {
 
 				binder_send_failed_reply(t, BR_DEAD_REPLY);
 
+			} else {
 
+				binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
 
+					"binder: undelivered transaction %d\n",
 
+					t->debug_id);
 
+				t->buffer->transaction = NULL;
 
+				kfree(t);
 
+				binder_stats_deleted(BINDER_STAT_TRANSACTION);
 
+			}
 
 		} break;
 
 		case BINDER_WORK_TRANSACTION_COMPLETE: {
 
+			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
 
+				"binder: undelivered TRANSACTION_COMPLETE\n");
 
 			kfree(w);
 
 			binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
 
 		} break;
 
+		case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
 
+		case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
 
+			struct binder_ref_death *death;
 
+
 
+			death = container_of(w, struct binder_ref_death, work);
 
+			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
 
+				"binder: undelivered death notification, %p\n",
 
+				death->cookie);
 
+			kfree(death);
 
+			binder_stats_deleted(BINDER_STAT_DEATH);
 
+		} break;
 
 		default:
 
+			pr_err("binder: unexpected work type, %d, not freed\n",
 
+			       w->type);
 
 			break;
 
 		}
 
 	}
 
@@ -2899,6 +2923,7 @@ static void binder_deferred_release(struct binder_proc *proc)
 
 		nodes++;
 
 		rb_erase(&node->rb_node, &proc->nodes);
 
 		list_del_init(&node->work.entry);
 
+		binder_release_work(&node->async_todo);
 
 		if (hlist_empty(&node->refs)) {
 
 			kfree(node);
 
 			binder_stats_deleted(BINDER_STAT_NODE);
 
@@ -2937,6 +2962,7 @@ static void binder_deferred_release(struct binder_proc *proc)
 
 		binder_delete_ref(ref);
 
 	}
 
 	binder_release_work(&proc->todo);
 
+	binder_release_work(&proc->delivered_death);
 
 	buffers = 0;
 
 
 	while ((n = rb_first(&proc->allocated_buffers))) {