binder: check for binder_thread allocation failure in binder_poll()

commit f889826 upstream.

If the kzalloc() in binder_get_thread() fails, binder_poll()
dereferences the resulting NULL pointer.

Fix it by returning POLLERR if the memory allocation failed.

This bug was found by syzkaller using fault injection.

Reported-by: syzbot <[email protected]>
Fixes: 457b9a6 ("Staging: android: add binder driver")
Cc: [email protected]
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: ebiggers

drivers/android/binder.c

@@ -2628,6 +2628,8 @@ static unsigned int binder_poll(struct file *filp,
 	binder_lock(__func__);
 
 	thread = binder_get_thread(proc);
+	if (!thread)
+		return POLLERR;
 
 	wait_for_proc_work = thread->transaction_stack == NULL &&
 		list_empty(&thread->todo) && thread->return_error == BR_OK;