[PATCH] binder: free fd fixups on superseded transaction teardown

Next message: Madhavan Srinivasan: "Re: [PATCH v5 0/8] Generic IRQ entry/exit support for powerpc"
Previous message: Aaron Tomlin: "Re: [PATCH] hung_task: Add per-round stack trace deduplication"
Next in thread: Alice Ryhl: "Re: [PATCH] binder: free fd fixups on superseded transaction teardown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Fri Jun 19 2026 - 18:07:04 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
transaction, the outdated transaction is freed with kfree() but its
fd_fixups list is not cleaned up first. Each binder_txn_fd_fixup on
the list holds a reference to a struct file (from fget in the sender
path) that is never released.

All other transaction teardown paths (binder_free_transaction and the
error paths in binder_transaction) correctly call
binder_free_txn_fixups() before freeing. Apply the same cleanup to
the t_outdated teardown path.

Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/android/binder.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 5fc2c8ee61b1..955bdfb4d907 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2920,6 +2920,7 @@ static int binder_proc_transaction(struct binder_transaction *t,
trace_binder_transaction_update_buffer_release(buffer);
binder_release_entire_buffer(proc, NULL, buffer, false);
binder_alloc_free_buf(&proc->alloc, buffer);
+ binder_free_txn_fixups(t_outdated);
kfree(t_outdated);
binder_stats_deleted(BINDER_STAT_TRANSACTION);
}
--
2.47.3