Re: [PATCH] binder: free fd fixups on superseded transaction teardown

Next message: Haoxiang Li: "[PATCH net v3] fsl/fman: Free init resources on KeyGen failure in fman_init()"
Previous message: Andrew Morton: "Re: [PATCH] reboot: keep parsed reboot CPU in range"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Carlos Llamas

Date: Wed Jun 24 2026 - 20:47:37 EST

On Fri, Jun 19, 2026 at 10:01:41PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> When a TF_UPDATE_TXN oneway transaction supersedes an outdated pending
> transaction, the outdated transaction is freed with kfree() but its
> fd_fixups list is not cleaned up first. Each binder_txn_fd_fixup on
> the list holds a reference to a struct file (from fget in the sender
> path) that is never released.
>
> All other transaction teardown paths (binder_free_transaction and the
> error paths in binder_transaction) correctly call
> binder_free_txn_fixups() before freeing. Apply the same cleanup to
> the t_outdated teardown path.
>
> Fixes: 9864bb480133 ("Binder: add TF_UPDATE_TXN to replace outdated txn")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/android/binder.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 5fc2c8ee61b1..955bdfb4d907 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2920,6 +2920,7 @@ static int binder_proc_transaction(struct binder_transaction *t,
> trace_binder_transaction_update_buffer_release(buffer);
> binder_release_entire_buffer(proc, NULL, buffer, false);
> binder_alloc_free_buf(&proc->alloc, buffer);
> + binder_free_txn_fixups(t_outdated);
> kfree(t_outdated);
> binder_stats_deleted(BINDER_STAT_TRANSACTION);
> }
> --
> 2.47.3
>

Thanks Tristan,

Acked-by: Carlos Llamas <cmllamas@xxxxxxxxxx>