Merge "lmkd: Fix an invalid access to a pointer after it's freed" am: 1f149d8d2a

am: 8950a02d10

Change-Id: I87ec58231106933ef3cdcec50110c307bd2b3b83

lmkd/lmkd.c

@@ -612,6 +612,10 @@ static void cmd_procremove(LMKD_CTRL_PACKET packet) {
     }
 
     lmkd_pack_get_procremove(packet, &params);
+    /*
+     * WARNING: After pid_remove() procp is freed and can't be used!
+     * Therefore placed at the end of the function.
+     */
     pid_remove(params.pid);
 }
 
@@ -1098,6 +1102,7 @@ static int kill_one_process(struct proc* procp) {
     char *taskname;
     int tasksize;
     int r;
+    int result = -1;
 
 #ifdef LMKD_LOG_STATS
     struct memory_stat mem_st = {};
@@ -1106,14 +1111,12 @@ static int kill_one_process(struct proc* procp) {
 
     taskname = proc_get_name(pid);
     if (!taskname) {
-        pid_remove(pid);
-        return -1;
+        goto out;
     }
 
     tasksize = proc_get_size(pid);
     if (tasksize <= 0) {
-        pid_remove(pid);
-        return -1;
+        goto out;
     }
 
 #ifdef LMKD_LOG_STATS
@@ -1128,13 +1131,12 @@ static int kill_one_process(struct proc* procp) {
     r = kill(pid, SIGKILL);
     ALOGI("Kill '%s' (%d), uid %d, oom_adj %d to free %ldkB",
         taskname, pid, uid, procp->oomadj, tasksize * page_k);
-    pid_remove(pid);
 
     TRACE_KILL_END();
 
     if (r) {
         ALOGE("kill(%d): errno=%d", pid, errno);
-        return -1;
+        goto out;
     } else {
 #ifdef LMKD_LOG_STATS
         if (memory_stat_parse_result == 0) {
@@ -1143,10 +1145,16 @@ static int kill_one_process(struct proc* procp) {
                     mem_st.cache_in_bytes, mem_st.swap_in_bytes);
         }
 #endif
-        return tasksize;
+        result = tasksize;
     }
 
-    return tasksize;
+out:
+    /*
+     * WARNING: After pid_remove() procp is freed and can't be used!
+     * Therefore placed at the end of the function.
+     */
+    pid_remove(pid);
+    return result;
 }
 
 /*