Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.17 2021-12-21T09:11:27Z 2021-12-21T09:11:27Z Ajith P V ajithpv.linux@gmail.com 2021-12-15T13:20:18Z urn:sha1:e80ca2e932056346f021d933b591d9d82b9cc93a binder.c uses <asm/cacheflush.h> instead of <linux/cacheflush.h>. Hence change cacheflush header file to proper one. This change also avoid warning from checkpatch that shown below: WARNING: Use #include <linux/cacheflush.h> instead of <asm/cacheflush.h> Signed-off-by: Ajith P V <ajithpv.linux@gmail.com> Link: https://lore.kernel.org/r/20211215132018.31522-1-ajithpv.linux@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-13T09:17:10Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2021-12-13T09:17:10Z urn:sha1:af40d16042d674442db8cf5fd654fabcd45fea44 We need the fixes in here as well, and also resolve some merge conflicts in: drivers/misc/eeprom/at25.c Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-09T18:49:56Z Eric Biggers ebiggers@google.com 2021-12-09T01:04:52Z urn:sha1:a880b28a71e39013e357fd3adccd1d8a31bc69a8 wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll and aio poll are fortunately not affected by this, but it's very fragile. Thus, the new function wake_up_pollfree() has been introduced. Convert binder to use wake_up_pollfree(). Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2021-12-08T16:30:03Z Arnd Bergmann arnd@arndb.de 2021-12-07T12:24:42Z urn:sha1:9a0a930fe2535a76ad70d3f43caeccf0d86a3009 binder_uintptr_t is not the same as uintptr_t, so converting it into a pointer requires a second cast: drivers/android/binder.c: In function 'binder_translate_fd_array': drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset; | ^ Fixes: 656e01f3ab54 ("binder: read pre-translated fds from sender buffer") Acked-by: Todd Kjos <tkjos@google.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:52Z urn:sha1:09184ae9b5756cc469db6fd1d1cfdcffbf627c2d BINDER_TYPE_PTR objects point to memory areas in the source process to be copied into the target buffer as part of a transaction. This implements a scatter- gather model where non-contiguous memory in a source process is "gathered" into a contiguous region in the target buffer. The data can include pointers that must be fixed up to correctly point to the copied data. To avoid making source process pointers visible to the target process, this patch defers the copy until the fixups are known and then copies and fixeups are done together. There is a special case of BINDER_TYPE_FDA which applies the fixup later in the target process context. In this case the user data is skipped (so no untranslated fds become visible to the target). Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-5-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:51Z urn:sha1:656e01f3ab54afe71bed066996fc2640881e1220 This patch is to prepare for an up coming patch where we read pre-translated fds from the sender buffer and translate them before copying them to the target. It does not change run time. The patch adds two new parameters to binder_translate_fd_array() to hold the sender buffer and sender buffer parent. These parameters let us call copy_from_user() directly from the sender instead of using binder_alloc_copy_from_buffer() to copy from the target. Also the patch adds some new alignment checks. Previously the alignment checks would have been done in a different place, but this lets us print more useful error messages. Reviewed-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-4-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:50Z urn:sha1:6d98eb95b450a75adb4516a1d33652dc78d2b20c Transactions are copied from the sender to the target first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA are then fixed up. This means there is a short period where the sender's version of these objects are visible to the target prior to the fixups. Instead of copying all of the data first, copy data only after any needed fixups have been applied. Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Reviewed-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-3-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:49Z urn:sha1:fe6b1869243f23a485a106c214bcfdc7aa0ed593 If a memory copy function fails to copy the whole buffer, a positive integar with the remaining bytes is returned. In binder_translate_fd_array() this can result in an fd being skipped due to the failed copy, but the loop continues processing fds since the early return condition expects a negative integer on error. Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case. Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions") Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-2-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:28:51Z Ajith P V ajithpv.linux@gmail.com 2021-11-25T12:22:18Z urn:sha1:690cfa20d02da5aca6e4c141ff34ef9529843280 binder.c file comment produce warning with checkpatch as below: WARNING: Possible repeated word: 'for' Remove the repeated word from the comment avoid this warning. Signed-off-by: Ajith P V <ajithpv.linux@gmail.com> Link: https://lore.kernel.org/r/20211125122218.6767-1-ajithpv.linux@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-11-17T15:08:52Z Todd Kjos tkjos@google.com 2021-11-12T18:07:20Z urn:sha1:c21a80ca0684ec2910344d72556c816cb8940c01 This is a partial revert of commit 29bc22ac5e5b ("binder: use euid from cred instead of using task"). Setting sender_euid using proc->cred caused some Android system test regressions that need further investigation. It is a partial reversion because subsequent patches rely on proc->cred. Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task") Cc: stable@vger.kernel.org # 4.4+ Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66 Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>