If binder_get_thread() fails to give us a thread data, we should avoid
dereferencing a NULL pointer and return POLLERR instead.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/android/binder.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index aae4d8d4be36..66ed714fedd5 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3103,18 +3103,22 @@ static unsigned int binder_poll(struct file *filp,
struct poll_table_struct *wait)
{
struct binder_proc *proc = filp->private_data;
- struct binder_thread *thread = NULL;
+ struct binder_thread *thread;
int wait_for_proc_work;
binder_lock(__func__);
thread = binder_get_thread(proc);
-
- wait_for_proc_work = thread->transaction_stack == NULL &&
- list_empty(&thread->todo) && thread->return_error == BR_OK;
+ if (thread)
+ wait_for_proc_work = thread->transaction_stack == NULL &&
+ list_empty(&thread->todo) &&
+ thread->return_error == BR_OK;
binder_unlock(__func__);
+ if (!thread)
+ return POLLERR;
+
if (wait_for_proc_work) {
if (binder_has_proc_work(proc, thread))
return POLLIN;
--
2.13.0.rc1.294.g07d810a77f-goog
--
Dmitry
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
