From 1493f0937f6dff7baab83fbcf57cb58acd45f74a Mon Sep 17 00:00:00 2001 From: Alice Ryhl Date: Fri, 20 Jun 2025 11:31:01 +0000 Subject: [PATCH] ANDROID: rust_binder: allow PollTable to be null Rust Binder currently makes a nullptr deref when the poll_table passed to f_ops->poll is a null pointer. This is due to the incorrect assumption that this pointer is never null. To fix this, I adjusted the API of the Rust PollTable to allow turning null ptrs into a Rust PollTable and adjusted Rust Binder to use the updated API. By also adjusting the PollTable api itself, and not just Rust Binder, this kind of mistake should be prevented in the future. Bug: 426545861 Change-Id: I1eabd62d5e499c83b990517c93a63d7de49252ab Signed-off-by: Alice Ryhl --- drivers/android/binder/process.rs | 2 +- drivers/android/binder/rust_binder.rs | 2 +- drivers/android/binder/thread.rs | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/process.rs index 8ae013580494..3cfef886af10 100644 --- a/drivers/android/binder/process.rs +++ b/drivers/android/binder/process.rs @@ -1633,7 +1633,7 @@ impl Process { pub(crate) fn poll( this: ArcBorrow<'_, Process>, file: &File, - table: &mut PollTable, + table: PollTable<'_>, ) -> Result { let thread = this.get_current_thread()?; let (from_proc, mut mask) = thread.poll(file, table); diff --git a/drivers/android/binder/rust_binder.rs b/drivers/android/binder/rust_binder.rs index c51412869a8b..05bd98b3a108 100644 --- a/drivers/android/binder/rust_binder.rs +++ b/drivers/android/binder/rust_binder.rs @@ -472,7 +472,7 @@ unsafe extern "C" fn rust_binder_poll( // SAFETY: The caller ensures that the file is valid. let fileref = unsafe { File::from_raw_file(file) }; // SAFETY: The caller ensures that the `PollTable` is valid. - match Process::poll(f, fileref, unsafe { PollTable::from_ptr(wait) }) { + match Process::poll(f, fileref, unsafe { PollTable::from_raw(wait) }) { Ok(v) => v, Err(_) => bindings::POLLERR, } diff --git a/drivers/android/binder/thread.rs b/drivers/android/binder/thread.rs index 4f62377d968b..5352f5deaac8 100644 --- a/drivers/android/binder/thread.rs +++ b/drivers/android/binder/thread.rs @@ -1614,7 +1614,7 @@ impl Thread { ret } - pub(crate) fn poll(&self, file: &File, table: &mut PollTable) -> (bool, u32) { + pub(crate) fn poll(&self, file: &File, table: PollTable<'_>) -> (bool, u32) { table.register_wait(file, &self.work_condvar); let mut inner = self.inner.lock(); (inner.should_use_process_work_queue(), inner.poll())