Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2271361imm; Thu, 7 Jun 2018 08:01:39 -0700 (PDT) X-Google-Smtp-Source: ADUXVKI7e4oNMgJ7wnXY98/5z/tqkoknKCwJRVGNoXt7wSoPO3TsYPUgWE3CQ4f0mds9MOWeKCsP X-Received: by 2002:a65:5348:: with SMTP id w8-v6mr1912753pgr.247.1528383699181; Thu, 07 Jun 2018 08:01:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528383699; cv=none; d=google.com; s=arc-20160816; b=bIdnCCvDgdK5qLCS5ROQtyxAvDh+nvbR+iHCBg0khyypGBJH54CLm9DLHfHcNiFOCP gW2PLQ0AriFSSHLg7S7CEFdA94+IARAMN1PoZWL0CV4UBAfs0+uGU+Tajt2FVPR87MYy 8CF1fh3u74gAx5IV2j3Ak+r1wgVuKPPNa2LEntIYe16SDTWyCzL/ZAkk72Kc4Stb3K88 WVsabYzee27NvZmosCvOT7A2GuilFlxwpRQb6hqic7NFs2bI6N8acPjrvc35+3q28tDB N07WO6BiIq+HKlzeyFEy6ZdnH1LaRBRD/1RQnJdfKb9PC44A9tBeNle4u6aBJJkaTMSw ZFJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=3KXuVYQ0wSkfwGS97rMf3bYJ1hGVk0EZLXLW/zuxl3o=; b=IUyKWf8FYKK5FjnwTOGYuJQINsRgjtw9mH0zfsXt4mW6nH92HQkMqOxPdP4Hsflfr4 IIEdH2RVb6ULl6gCEgFm2t8WQpeeVPlVu9wJ9NPwH7qMUdpjfyg1oopQc9kUPEYzXLuQ 8hNhZIwbzm7jKC87xu6uZxpEl9HP2fZ6HXhN8TkkKxAbPiO38G8vemK4Kt5T1zbBMtm5 nKV5B/CAN7iGNOiyDEWI+sJAq7OA12PtWjUgtUNxnitzTyr8NX/Jt9dhJU9LqzNjWG57 HQEgT2noUNJY5yjxrb0tBt2i7zSTsRaOi9NeG05LsnZTof2MPtV2oC2ckq5wAw+lD6HC C/fw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k2-v6si21883119pgp.200.2018.06.07.08.01.23; Thu, 07 Jun 2018 08:01:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935756AbeFGPAB (ORCPT + 99 others); Thu, 7 Jun 2018 11:00:01 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41307 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935208AbeFGO76 (ORCPT ); Thu, 7 Jun 2018 10:59:58 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbd-0005Zw-HC; Thu, 07 Jun 2018 15:09:37 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvb8-00034L-09; Thu, 07 Jun 2018 15:09:06 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Eric Biggers" , "syzbot" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 246/410] binder: check for binder_thread allocation failure in binder_poll() In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. If the kzalloc() in binder_get_thread() fails, binder_poll() dereferences the resulting NULL pointer. Fix it by returning POLLERR if the memory allocation failed. This bug was found by syzkaller using fault injection. Reported-by: syzbot Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: - Drop the binder global lock before returning - Adjust filename] Signed-off-by: Ben Hutchings --- --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -2572,6 +2572,10 @@ static unsigned int binder_poll(struct f binder_lock(__func__); thread = binder_get_thread(proc); + if (!thread) { + binder_unlock(__func__); + return POLLERR; + } wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo) && thread->return_error == BR_OK;