On Mon, May 8, 2017 at 1:43 PM, Dmitry Torokhov
<dmitry.torokhov@xxxxxxxxx> wrote:
> If binder_get_thread() fails to give us a thread data, we should avoid
> dereferencing a NULL pointer and return POLLERR instead.
>
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
Pulling Todd Kjos in on this too.
-john
> ---
> drivers/android/binder.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index aae4d8d4be36..66ed714fedd5 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -3103,18 +3103,22 @@ static unsigned int binder_poll(struct file *filp,
> struct poll_table_struct *wait)
> {
> struct binder_proc *proc = filp->private_data;
> - struct binder_thread *thread = NULL;
> + struct binder_thread *thread;
> int wait_for_proc_work;
>
> binder_lock(__func__);
>
> thread = binder_get_thread(proc);
> -
> - wait_for_proc_work = thread->transaction_stack == NULL &&
> - list_empty(&thread->todo) && thread->return_error == BR_OK;
> + if (thread)
> + wait_for_proc_work = thread->transaction_stack == NULL &&
> + list_empty(&thread->todo) &&
> + thread->return_error == BR_OK;
>
> binder_unlock(__func__);
>
> + if (!thread)
> + return POLLERR;
> +
> if (wait_for_proc_work) {
> if (binder_has_proc_work(proc, thread))
> return POLLIN;
> --
> 2.13.0.rc1.294.g07d810a77f-goog
>
>
> --
> Dmitry
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
