[PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super

From: Dongliang Mu
Date: Fri Aug 12 2022 - 09:23:35 EST


From: Dongliang Mu <mudongliangabcd@xxxxxxxxx>

In binderfs_fill_super, if s_root is not successfully initialized by
d_make_root, the previous allocated s_sb_info will not be freed since
generic_shutdown_super first checks if sb->s_root and then does
put_super operation. The put_super operation calls binderfs_put_super
to deallocate s_sb_info and put ipc_ns. This will lead to memory leak
in binderfs_fill_super.

Fix this by invoking binderfs_put_super at error sites before s_root
is successfully initialized.

Fixes: 095cf502b31e ("binderfs: port to new mount api")
Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
---
drivers/android/binderfs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
index 588d753a7a19..20f5bc77495f 100644
--- a/drivers/android/binderfs.c
+++ b/drivers/android/binderfs.c
@@ -710,8 +710,10 @@ static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc)
info->mount_opts.stats_mode = ctx->stats_mode;

inode = new_inode(sb);
- if (!inode)
+ if (!inode) {
+ binderfs_put_super(sb);
return -ENOMEM;
+ }

inode->i_ino = FIRST_INODE;
inode->i_fop = &simple_dir_operations;
@@ -721,8 +723,10 @@ static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc)
set_nlink(inode, 2);

sb->s_root = d_make_root(inode);
- if (!sb->s_root)
+ if (!sb->s_root) {
+ binderfs_put_super(sb);
return -ENOMEM;
+ }

ret = binderfs_binder_ctl_create(sb);
if (ret)
--
2.25.1