Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.17 2022-01-03T12:44:38Z 2022-01-03T12:44:38Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-01-03T12:44:38Z urn:sha1:824adf37ee9ddf3ecba1bc245507bc5953dda268 We need the fixes in here as well for testing. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-21T10:07:34Z Todd Kjos tkjos@google.com 2021-12-20T19:01:50Z urn:sha1:cfd0d84ba28c18b531648c9d4a35ecca89ad9901 In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel structure visibility issue. As part of that patch, sizeof(void *) was used as the buffer size for 0-length data payloads so the driver could detect abusive clients sending 0-length asynchronous transactions to a server by enforcing limits on async_free_size. Unfortunately, on the "free" side, the accounting of async_free_space did not add the sizeof(void *) back. The result was that up to 8-bytes of async_free_space were leaked on every async transaction of 8-bytes or less. These small transactions are uncommon, so this accounting issue has gone undetected for several years. The fix is to use "buffer_size" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the async_free_space during the free operation. These are the same except for this corner case of asynchronous transactions with payloads < 8 bytes. Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable@vger.kernel.org # 4.14+ Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-21T09:11:27Z Ajith P V ajithpv.linux@gmail.com 2021-12-15T13:20:18Z urn:sha1:e80ca2e932056346f021d933b591d9d82b9cc93a binder.c uses <asm/cacheflush.h> instead of <linux/cacheflush.h>. Hence change cacheflush header file to proper one. This change also avoid warning from checkpatch that shown below: WARNING: Use #include <linux/cacheflush.h> instead of <asm/cacheflush.h> Signed-off-by: Ajith P V <ajithpv.linux@gmail.com> Link: https://lore.kernel.org/r/20211215132018.31522-1-ajithpv.linux@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-13T09:17:10Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2021-12-13T09:17:10Z urn:sha1:af40d16042d674442db8cf5fd654fabcd45fea44 We need the fixes in here as well, and also resolve some merge conflicts in: drivers/misc/eeprom/at25.c Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-09T18:49:56Z Eric Biggers ebiggers@google.com 2021-12-09T01:04:52Z urn:sha1:a880b28a71e39013e357fd3adccd1d8a31bc69a8 wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll and aio poll are fortunately not affected by this, but it's very fragile. Thus, the new function wake_up_pollfree() has been introduced. Convert binder to use wake_up_pollfree(). Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2021-12-08T16:30:03Z Arnd Bergmann arnd@arndb.de 2021-12-07T12:24:42Z urn:sha1:9a0a930fe2535a76ad70d3f43caeccf0d86a3009 binder_uintptr_t is not the same as uintptr_t, so converting it into a pointer requires a second cast: drivers/android/binder.c: In function 'binder_translate_fd_array': drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset; | ^ Fixes: 656e01f3ab54 ("binder: read pre-translated fds from sender buffer") Acked-by: Todd Kjos <tkjos@google.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:52Z urn:sha1:09184ae9b5756cc469db6fd1d1cfdcffbf627c2d BINDER_TYPE_PTR objects point to memory areas in the source process to be copied into the target buffer as part of a transaction. This implements a scatter- gather model where non-contiguous memory in a source process is "gathered" into a contiguous region in the target buffer. The data can include pointers that must be fixed up to correctly point to the copied data. To avoid making source process pointers visible to the target process, this patch defers the copy until the fixups are known and then copies and fixeups are done together. There is a special case of BINDER_TYPE_FDA which applies the fixup later in the target process context. In this case the user data is skipped (so no untranslated fds become visible to the target). Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-5-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:51Z urn:sha1:656e01f3ab54afe71bed066996fc2640881e1220 This patch is to prepare for an up coming patch where we read pre-translated fds from the sender buffer and translate them before copying them to the target. It does not change run time. The patch adds two new parameters to binder_translate_fd_array() to hold the sender buffer and sender buffer parent. These parameters let us call copy_from_user() directly from the sender instead of using binder_alloc_copy_from_buffer() to copy from the target. Also the patch adds some new alignment checks. Previously the alignment checks would have been done in a different place, but this lets us print more useful error messages. Reviewed-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-4-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:50Z urn:sha1:6d98eb95b450a75adb4516a1d33652dc78d2b20c Transactions are copied from the sender to the target first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA are then fixed up. This means there is a short period where the sender's version of these objects are visible to the target prior to the fixups. Instead of copying all of the data first, copy data only after any needed fixups have been applied. Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Reviewed-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-3-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39Z Todd Kjos tkjos@google.com 2021-11-30T18:51:49Z urn:sha1:fe6b1869243f23a485a106c214bcfdc7aa0ed593 If a memory copy function fails to copy the whole buffer, a positive integar with the remaining bytes is returned. In binder_translate_fd_array() this can result in an fd being skipped due to the failed copy, but the loop continues processing fds since the early return condition expects a negative integer on error. Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case. Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions") Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-2-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>