[PATCH] android: binder: check result of binder_get_thread() in binder

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] android: binder: check result of binder_get_thread() in binder_poll()
@ 2017-05-08 20:43 Dmitry Torokhov
  2017-05-08 20:46 ` John Stultz
  2017-08-23  1:50 ` Greg Kroah-Hartman
  0 siblings, 2 replies; 4+ messages in thread
From: Dmitry Torokhov @ 2017-05-08 20:43 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Arve Hjønnevåg, Riley Andrews, Martijn Coenen,
	John Stultz, Douglas Anderson, devel, linux-kernel

If binder_get_thread() fails to give us a thread data, we should avoid
dereferencing a NULL pointer and return POLLERR instead.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/android/binder.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index aae4d8d4be36..66ed714fedd5 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3103,18 +3103,22 @@ static unsigned int binder_poll(struct file *filp,
 				struct poll_table_struct *wait)
 {
 	struct binder_proc *proc = filp->private_data;
-	struct binder_thread *thread = NULL;
+	struct binder_thread *thread;
 	int wait_for_proc_work;
 
 	binder_lock(__func__);
 
 	thread = binder_get_thread(proc);
-
-	wait_for_proc_work = thread->transaction_stack == NULL &&
-		list_empty(&thread->todo) && thread->return_error == BR_OK;
+	if (thread)
+		wait_for_proc_work = thread->transaction_stack == NULL &&
+				     list_empty(&thread->todo) &&
+				     thread->return_error == BR_OK;
 
 	binder_unlock(__func__);
 
+	if (!thread)
+		return POLLERR;
+
 	if (wait_for_proc_work) {
 		if (binder_has_proc_work(proc, thread))
 			return POLLIN;
-- 
2.13.0.rc1.294.g07d810a77f-goog


-- 
Dmitry

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] android: binder: check result of binder_get_thread() in binder_poll()
  2017-05-08 20:43 [PATCH] android: binder: check result of binder_get_thread() in binder_poll() Dmitry Torokhov
@ 2017-05-08 20:46 ` John Stultz
  2017-05-08 20:56   ` Doug Anderson
  2017-08-23  1:50 ` Greg Kroah-Hartman
  1 sibling, 1 reply; 4+ messages in thread
From: John Stultz @ 2017-05-08 20:46 UTC (permalink / raw)
  To: Dmitry Torokhov
  Cc: Greg Kroah-Hartman, Arve Hjønnevåg, Martijn Coenen,
	Douglas Anderson, devel, lkml, Todd Kjos

On Mon, May 8, 2017 at 1:43 PM, Dmitry Torokhov
<dmitry.torokhov@gmail.com> wrote:
> If binder_get_thread() fails to give us a thread data, we should avoid
> dereferencing a NULL pointer and return POLLERR instead.
>
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

Pulling Todd Kjos in on this too.
-john

> ---
>  drivers/android/binder.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index aae4d8d4be36..66ed714fedd5 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -3103,18 +3103,22 @@ static unsigned int binder_poll(struct file *filp,
>                                 struct poll_table_struct *wait)
>  {
>         struct binder_proc *proc = filp->private_data;
> -       struct binder_thread *thread = NULL;
> +       struct binder_thread *thread;
>         int wait_for_proc_work;
>
>         binder_lock(__func__);
>
>         thread = binder_get_thread(proc);
> -
> -       wait_for_proc_work = thread->transaction_stack == NULL &&
> -               list_empty(&thread->todo) && thread->return_error == BR_OK;
> +       if (thread)
> +               wait_for_proc_work = thread->transaction_stack == NULL &&
> +                                    list_empty(&thread->todo) &&
> +                                    thread->return_error == BR_OK;
>
>         binder_unlock(__func__);
>
> +       if (!thread)
> +               return POLLERR;
> +
>         if (wait_for_proc_work) {
>                 if (binder_has_proc_work(proc, thread))
>                         return POLLIN;
> --
> 2.13.0.rc1.294.g07d810a77f-goog
>
>
> --
> Dmitry

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] android: binder: check result of binder_get_thread() in binder_poll()
  2017-05-08 20:46 ` John Stultz
@ 2017-05-08 20:56   ` Doug Anderson
  0 siblings, 0 replies; 4+ messages in thread
From: Doug Anderson @ 2017-05-08 20:56 UTC (permalink / raw)
  To: John Stultz
  Cc: Dmitry Torokhov, Greg Kroah-Hartman, Arve Hjønnevåg,
	Martijn Coenen, devel, lkml, Todd Kjos

Dmitry,

On Mon, May 8, 2017 at 1:46 PM, John Stultz <john.stultz@linaro.org> wrote:
> On Mon, May 8, 2017 at 1:43 PM, Dmitry Torokhov
> <dmitry.torokhov@gmail.com> wrote:
>> If binder_get_thread() fails to give us a thread data, we should avoid
>> dereferencing a NULL pointer and return POLLERR instead.
>>
>> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
>
> Pulling Todd Kjos in on this too.
> -john
>
>> ---
>>  drivers/android/binder.c | 12 ++++++++----
>>  1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
>> index aae4d8d4be36..66ed714fedd5 100644
>> --- a/drivers/android/binder.c
>> +++ b/drivers/android/binder.c
>> @@ -3103,18 +3103,22 @@ static unsigned int binder_poll(struct file *filp,
>>                                 struct poll_table_struct *wait)
>>  {
>>         struct binder_proc *proc = filp->private_data;
>> -       struct binder_thread *thread = NULL;
>> +       struct binder_thread *thread;
>>         int wait_for_proc_work;
>>
>>         binder_lock(__func__);
>>
>>         thread = binder_get_thread(proc);
>> -
>> -       wait_for_proc_work = thread->transaction_stack == NULL &&
>> -               list_empty(&thread->todo) && thread->return_error == BR_OK;
>> +       if (thread)
>> +               wait_for_proc_work = thread->transaction_stack == NULL &&
>> +                                    list_empty(&thread->todo) &&
>> +                                    thread->return_error == BR_OK;
>>
>>         binder_unlock(__func__);
>>
>> +       if (!thread)
>> +               return POLLERR;
>> +
>>         if (wait_for_proc_work) {
>>                 if (binder_has_proc_work(proc, thread))
>>                         return POLLIN;
>> --

I'm no expert on the poll function, but I agree that it's wise to
check the result of binder_get_thread() since it can return NULL.
FWIW:

Reviewed-by: Douglas Anderson <dianders@chromium.org>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] android: binder: check result of binder_get_thread() in binder_poll()
  2017-05-08 20:43 [PATCH] android: binder: check result of binder_get_thread() in binder_poll() Dmitry Torokhov
  2017-05-08 20:46 ` John Stultz
@ 2017-08-23  1:50 ` Greg Kroah-Hartman
  1 sibling, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2017-08-23  1:50 UTC (permalink / raw)
  To: Dmitry Torokhov
  Cc: Arve Hjønnevåg, Riley Andrews, Martijn Coenen,
	John Stultz, Douglas Anderson, devel, linux-kernel

On Mon, May 08, 2017 at 01:43:23PM -0700, Dmitry Torokhov wrote:
> If binder_get_thread() fails to give us a thread data, we should avoid
> dereferencing a NULL pointer and return POLLERR instead.
> 
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Reviewed-by: Douglas Anderson <dianders@chromium.org>
> ---
>  drivers/android/binder.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

Doesn't apply to my tree at all :(

Please rebase and resend, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-08-23  1:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-08 20:43 [PATCH] android: binder: check result of binder_get_thread() in binder_poll() Dmitry Torokhov
2017-05-08 20:46 ` John Stultz
2017-05-08 20:56   ` Doug Anderson
2017-08-23  1:50 ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox