Dmitry,
On Mon, May 8, 2017 at 1:46 PM, John Stultz <john.stultz@xxxxxxxxxx> wrote:
> On Mon, May 8, 2017 at 1:43 PM, Dmitry Torokhov
> <dmitry.torokhov@xxxxxxxxx> wrote:
>> If binder_get_thread() fails to give us a thread data, we should avoid
>> dereferencing a NULL pointer and return POLLERR instead.
>>
>> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
>
> Pulling Todd Kjos in on this too.
> -john
>
>> ---
>> drivers/android/binder.c | 12 ++++++++----
>> 1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
>> index aae4d8d4be36..66ed714fedd5 100644
>> --- a/drivers/android/binder.c
>> +++ b/drivers/android/binder.c
>> @@ -3103,18 +3103,22 @@ static unsigned int binder_poll(struct file *filp,
>> struct poll_table_struct *wait)
>> {
>> struct binder_proc *proc = filp->private_data;
>> - struct binder_thread *thread = NULL;
>> + struct binder_thread *thread;
>> int wait_for_proc_work;
>>
>> binder_lock(__func__);
>>
>> thread = binder_get_thread(proc);
>> -
>> - wait_for_proc_work = thread->transaction_stack == NULL &&
>> - list_empty(&thread->todo) && thread->return_error == BR_OK;
>> + if (thread)
>> + wait_for_proc_work = thread->transaction_stack == NULL &&
>> + list_empty(&thread->todo) &&
>> + thread->return_error == BR_OK;
>>
>> binder_unlock(__func__);
>>
>> + if (!thread)
>> + return POLLERR;
>> +
>> if (wait_for_proc_work) {
>> if (binder_has_proc_work(proc, thread))
>> return POLLIN;
>> --
I'm no expert on the poll function, but I agree that it's wise to
check the result of binder_get_thread() since it can return NULL.
FWIW:
Reviewed-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
