MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2025-07-06 09:25:22 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ANDROID: rust_binder: fix leak of name in binderfs

Browse Source 
The `rust_binder_new_device` method just makes a copy of the provided c
string, and does not take ownership of it. This means that there's no
reason to kmemdup the string. Also, outside of the error path, the name
is not freed.

Fixes: 0d512d37b0 ("ANDROID: rust_binder: add binderfs support to Rust binder")
Change-Id: I4cb63ff0c46d04da7f9debfa9896113779856c02
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
This commit is contained in:
Alice Ryhl 2024-06-28 11:47:01 +00:00 committed by Treehugger Robot
parent 0dcde40390
commit 013c5ddc64
1 changed files with 2 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
drivers/android/binder/rust_binderfs.c
View File

@ -139,8 +139,6 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
int minor, ret; int minor, ret;
struct dentry *dentry, *root; struct dentry *dentry, *root;
rust_binder_device device = NULL; rust_binder_device device = NULL;
char *name = NULL;
size_t name_len;
struct inode *inode = NULL; struct inode *inode = NULL;
struct super_block *sb = ref_inode->i_sb; struct super_block *sb = ref_inode->i_sb;
struct binderfs_info *info = sb->s_fs_info; struct binderfs_info *info = sb->s_fs_info;
@ -168,13 +166,8 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
ret = -ENOMEM; ret = -ENOMEM;
req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
name_len = strlen(req->name);
/* Make sure to include terminating NUL byte */
name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
if (!name)
goto err;
device = rust_binder_new_device(name); device = rust_binder_new_device(req->name);
if (!device) if (!device)
goto err; goto err;
@ -202,7 +195,7 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
inode_lock(d_inode(root)); inode_lock(d_inode(root));
/* look it up */ /* look it up */
dentry = lookup_one_len(name, root, name_len); dentry = lookup_one_len(req->name, root, strlen(req->name));
if (IS_ERR(dentry)) { if (IS_ERR(dentry)) {
inode_unlock(d_inode(root)); inode_unlock(d_inode(root));
ret = PTR_ERR(dentry); ret = PTR_ERR(dentry);
@ -225,7 +218,6 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
return 0; return 0;
err: err:
kfree(name);
rust_binder_remove_device(device); rust_binder_remove_device(device);
mutex_lock(&binderfs_minors_mutex); mutex_lock(&binderfs_minors_mutex);
--info->device_count; --info->device_count;