[PATCH 4.13 20/47] binder: free memory on error
From: Greg Kroah-Hartman
Date: Fri Sep 08 2017 - 09:53:23 EST
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <christian.brauner@xxxxxxxxxx>
commit 22eb9476b5d80a393ac0ba235c42bccc90b82c76 upstream.
On binder_init() the devices string is duplicated and smashed into individual
device names which are passed along. However, the original duplicated string
wasn't freed in case binder_init() failed. Let's free it on error.
Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/android/binder.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4215,7 +4215,7 @@ static int __init init_binder_device(con
static int __init binder_init(void)
{
int ret;
- char *device_name, *device_names;
+ char *device_name, *device_names, *device_tmp;
struct binder_device *device;
struct hlist_node *tmp;
@@ -4263,7 +4263,8 @@ static int __init binder_init(void)
}
strcpy(device_names, binder_devices_param);
- while ((device_name = strsep(&device_names, ","))) {
+ device_tmp = device_names;
+ while ((device_name = strsep(&device_tmp, ","))) {
ret = init_binder_device(device_name);
if (ret)
goto err_init_binder_device_failed;
@@ -4277,6 +4278,9 @@ err_init_binder_device_failed:
hlist_del(&device->hlist);
kfree(device);
}
+
+ kfree(device_names);
+
err_alloc_device_names_failed:
debugfs_remove_recursive(binder_debugfs_dir_entry_root);