Commit graph

307579 commits

Author SHA1 Message Date
AdrianDC
8e17455f73 Revert "HACK: time: Disable alarmtimer"
This reverts commit abbb445f65bbb139202fde5a66f9a249977058c9.
2017-08-25 16:03:46 +03:00
Colin Cross
ae8a974101 timekeeping: fix 32-bit overflow in get_monotonic_boottime
fixed upstream in v3.6 by ec145babe7

get_monotonic_boottime adds three nanonsecond values stored
in longs, followed by an s64.  If the long values are all
close to 1e9 the first three additions can overflow and
become negative when added to the s64.  Cast the first
value to s64 so that all additions are 64 bit.

Change-Id: Id90beaf652571841b33cc6613d4744df33f5f007
Signed-off-by: Colin Cross <ccross@android.com>
[jstultz: Fished this out of the AOSP commong.git tree. This was
fixed upstream in v3.6 by ec145babe7]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-25 16:03:40 +03:00
Tetsuo Handa
d6fb7fe270 BACKPORT: commoncap: don't alloc the credential unless needed in cap_task_prctl
In function cap_task_prctl(), we would allocate a credential
unconditionally and then check if we support the requested function.
If not we would release this credential with abort_creds() by using
RCU method. But on some archs such as powerpc, the sys_prctl is heavily
used to get/set the floating point exception mode. So the unnecessary
allocating/releasing of credential not only introduce runtime overhead
but also do cause OOM due to the RCU implementation.

This patch removes abort_creds() from cap_task_prctl() by calling
prepare_creds() only when we need to modify it.

Reported-by: Kevin Hao <haokexin@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
(cherry picked from commit 6d6f332842)

Bug: 35074030
Test: Builds.
Change-Id: Ic7b0d01f4c23328b134084a5585599883aed6345
Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com>
2017-08-24 20:56:54 +03:00
Jann Horn
383a6574eb BACKPORT: security: fix typo in security_task_prctl
Signed-off-by: Jann Horn <jann@thejh.net>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3)

Bug: 33340301
Test: Builds.
Change-Id: I61e017a565c7f18d71839be907c35c971ea42167
Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com>
2017-08-24 20:56:21 +03:00
Martijn Coenen
a7732f95a2 ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.
These will be required going forward.

Change-Id: I8f24e1e9f87a6773bd84fb9f173a3725c376c692
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:53:26 +03:00
Todd Kjos
1cd2086a7a binder: use group leader instead of open thread
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.

Bug: 35707103
Test: Created test case to open with temporary thread
Change-Id: Id693f74b3591f3524a8c6e9508e70f3e5a80c588
Signed-off-by: Todd Kjos <tkjos@google.com>
2017-08-24 20:53:19 +03:00
Al Viro
d58eeb88d5 binder: don't allow mmap() by process other than proc->tsk
we really shouldn't do get_files_struct() on a different process
and use it to modify the sucker later on.

Change-Id: I2be2b99395b6efa85a007317b25e6e9e7953c47a
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-08-24 20:53:10 +03:00
Martijn Coenen
cc9b2424b7 android: binder: support for file-descriptor arrays.
This patch introduces a new binder_fd_array object,
that allows us to support one or more file descriptors
embedded in a buffer that is scatter-gathered.

Change-Id: I647a53cf0d905c7be0dfd9333806982def68dd74
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:53:03 +03:00
Adrian DC
36e237a3a1 android: binder: Fix binder_transaction with "scatter-gather"
* Due to commit Ibe17f4f5629d1d541a03f1e826cfd153b64f0d8c,
    a log containing extra_buffers_size to an "lld" was added
    without the required (u64) typecast for ARM 32 bits support

Change-Id: Icdf378dc6cfa6502d2c067cad2c39a37589895d6
Signed-off-by: Adrian DC <radian.dc@gmail.com>
2017-08-24 20:52:57 +03:00
Martijn Coenen
0613b977be android: binder: support for scatter-gather.
Previously all data passed over binder needed
to be serialized, with the exception of Binder
objects and file descriptors.

This patchs adds support for scatter-gathering raw
memory buffers into a binder transaction, avoiding
the need to first serialize them into a Parcel.

To remain backwards compatibile with existing
binder clients, it introduces two new command
ioctls for this purpose - BC_TRANSACTION_SG and
BC_REPLY_SG. These commands may only be used with
the new binder_transaction_data_sg structure,
which adds a field for the total size of the
buffers we are scatter-gathering.

Because memory buffers may contain pointers to
other buffers, we allow callers to specify
a parent buffer and an offset into it, to indicate
this is a location pointing to the buffer that
we are fixing up. The kernel will then take care
of fixing up the pointer to that buffer as well.

Change-Id: Ibe17f4f5629d1d541a03f1e826cfd153b64f0d8c
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:52:50 +03:00
Martijn Coenen
04be070fa5 android: binder: add extra size to allocator.
The binder_buffer allocator currently only allocates
space for the data and offsets buffers of a Parcel.
This change allows for requesting an additional chunk
of data in the buffer, which can for example be used
to hold additional meta-data about the transaction
(eg a security context).

Change-Id: I58ab9c383a2e1a3057aae6adaa596ce867f1b157
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:52:44 +03:00
Martijn Coenen
d28c1dbb86 android: binder: refactor binder_transact()
Moved handling of fixup for binder objects,
handles and file descriptors into separate
functions.

Change-Id: If6849f1caee3834aa87d0ab08950bb1e21ec6e38
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:52:37 +03:00
Martijn Coenen
b317ea9c37 BACKPORT: android: binder: support multiple /dev instances.
Add a new module parameter 'devices', that can be
used to specify the names of the binder device
nodes we want to populate in /dev.

Each device node has its own context manager, and
is therefore logically separated from all the other
device nodes.

The config option CONFIG_ANDROID_BINDER_DEVICES can
be used to set the default value of the parameter.

This approach was favored over using IPC namespaces,
mostly because we require a single process to be a
part of multiple binder contexts, which seemed harder
to achieve with namespaces.

[AdrianDC] Backport to 3.4 with list.h iterator
           hlist_for_each_entry_rcu node kept

Change-Id: I3d8531c44e82ef7db4d8b9fa0c1761d4ec282e3d
Signed-off-by: Martijn Coenen <maco@google.com>
Signed-off-by: Adrian DC <radian.dc@gmail.com>
2017-08-24 20:52:30 +03:00
Martijn Coenen
49be1ba87f BACKPORT: android: binder: deal with contexts in debugfs.
Properly print the context in debugfs entries.

Change-Id: Ieeb89bfa8e760635366ce8b60569fbbd4937b844
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:52:22 +03:00
Martijn Coenen
672c9e5f01 BACKPORT: android: binder: support multiple context managers.
Move the context manager state into a separate
struct context, and allow for each process to have
its own context associated with it.

Change-Id: I6a9dfacb7b73a29760e367ff0b4e0ee21f2d0380
Signed-off-by: Martijn Coenen <maco@google.com>
Signed-off-by: Adrian DC <radian.dc@gmail.com>
2017-08-24 20:52:03 +03:00
Martijn Coenen
6d87808481 android: binder: split flat_binder_object.
flat_binder_object is used for both handling
binder objects and file descriptors, even though
the two are mostly independent. Since we'll
have more fixup objects in binder in the future,
instead of extending flat_binder_object again,
split out file descriptors to their own object
while retaining backwards compatibility to
existing user-space clients. All binder objects
just share a header.

Change-Id: Ifffa8cb749335d0ee79226c98f70786190516355
Signed-off-by: Martijn Coenen <maco@google.com>
2017-08-24 20:51:56 +03:00
Nick Desaulniers
383acbdc1c binder: blacklist %p kptr_restrict
Bug: 31495231
Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
2017-08-24 20:51:48 +03:00
Masanari Iida
58fe78e368 staging: android: Fix typo in staging/android
Fix "with with" in debug message.

Change-Id: Ibb60ca741d8ec760873054db53ad83e1b8a70c15
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 1dcdbfd6d9
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:51:31 +03:00
Mirsal Ennaime
d446e1e8b3 drivers: android: binder: Use __func__ in debug messages
Debug messages sent in binder_deferred_release begin with
"binder_release:" which is a bit misleading as binder_release is not
directly part of the call stack. Use __func__ instead for debug messages
in binder_deferred_release.

Change-Id: I7b9e2efaed188328d5b0dc82fbfe314a3666237c
Signed-off-by: Mirsal Ennaime <mirsal@mirsal.fr>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:51:24 +03:00
Mirsal Ennaime
6814a87e8b drivers: android: binder: Remove excessive indentation
Remove one level of indentation from the binder proc page release code
by using slightly different control semantics.

Change-Id: I7a34049bf32799d7954da770f05411183c950778
Signed-off-by: Mirsal Ennaime <mirsal@mirsal.fr>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:51:18 +03:00
Mirsal Ennaime
d61f45cfb7 drivers: android: binder: Fix code style in binder_deferred_release
* Use tabs where applicable
 * Remove a few "80-columns" checkpatch warnings
 * Separate code paths with empty lines for readability

Change-Id: I634852d0812756e2c0412152a36c99dd9a9bb94a
Signed-off-by: Mirsal Ennaime <mirsal@mirsal.fr>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:51:11 +03:00
Arve Hjønnevåg
779ade83fd Staging: android: binder: More offset validation.
Make sure offsets don't point to overlapping flat_binder_object
structs.

Change-Id: I425ab0c46fbe2b00ed679c5becf9e8140395eb40
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Git-commit: 457c3cd05958b8397211ae1f6dd3c3d325f4c0ea
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:51:02 +03:00
Paresh Nakhe
bd600c9f3b binder: NULL pointer reference
This fix handles a possible NULL pointer reference in
debug message.

CRs-fixed: 642883
Change-Id: Ide78f281ec0cff5cbd8231b85c305d13a892854e
Signed-off-by: Paresh Nakhe <pnakhe@codeaurora.org>
2017-08-24 20:50:46 +03:00
Uma Maheshwari Bhiram
6af7264b93 binder: Quiet Binder
Temporary change to avoid watchdog bark because of
excessive failed transaction logging

CRs-Fixed: 572081

Change-Id: Id664d65ab9e78627991f8b7d4f4e5e126908c214
Signed-off-by: Uma Maheshwari Bhiram <ubhira@codeaurora.org>
2017-08-24 20:50:40 +03:00
Arve Hjønnevåg
2106269db7 Staging: android: binder: Support concurrent 32 bit and 64 bit processes.
Add binder_size_t and binder_uintptr_t that is used instead of size_t and
void __user * in the user-space interface.

Use 64 bit pointers on all systems unless CONFIG_ANDROID_BINDER_IPC_32BIT
is set (which enables the old protocol on 32 bit systems).

Change BINDER_CURRENT_PROTOCOL_VERSION to 8 if
CONFIG_ANDROID_BINDER_IPC_32BIT is not set.

Add compat ioctl.

Change-Id: Ifbbde0209da0050011bcab34c547a4c30d6e8c49
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Git-commit: 1c4aa9fb12e8b0a54f056b8402b0bde61b49498f
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: David Ng <dave@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:50:31 +03:00
Serban Constantinescu
500c20e59e staging: android: binder: fix ABI for 64bit Android
This patch fixes the ABI for 64bit Android userspace.
BC_REQUEST_DEATH_NOTIFICATION and BC_CLEAR_DEATH_NOTIFICATION claim
to be using struct binder_ptr_cookie, but they are using a 32bit handle
and a pointer.

On 32bit systems the payload size is the same as the size of struct
binder_ptr_cookie, however for 64bit systems this will differ. This
patch adds struct binder_handle_cookie that fixes this issue for 64bit
Android.

Since there are no 64bit users of this interface that we know of this
change should not affect any existing systems.

Change-Id: I8909cbc50aad48ccf371270bad6f69ff242a8c22
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Git-commit: 34d977e7af9bb097530aa71204d591485f7dddc7
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: David Ng <dave@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:50:24 +03:00
Colin Cross
b57ed6c434 drivers: staging: android: split uapi out of binder.h
Move the userspace interface of binder.h to
drivers/staging/android/uapi/binder.h.

Change-Id: I2e56ba89ade5e1f33b121e6ecd456392d588a14e
Signed-off-by: Colin Cross <ccross@android.com>
Git-commit: 06f505a4d5719da00e76bde885792a7d5ec968f8
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:50:16 +03:00
Serban Constantinescu
6b3c4d559a staging: android: binder: fix binder interface for 64bit compat layer
The changes in this patch will fix the binder interface for use on 64bit
machines and stand as the base of the 64bit compat support. The changes
apply to the structures that are passed between the kernel and
userspace.

Most of the  changes applied mirror the change to struct binder_version
where there is no need for a 64bit wide protocol_version(on 64bit
machines). The change inlines with the existing 32bit userspace(the
structure has the same size) and simplifies the compat layer such that
the same handler can service the BINDER_VERSION ioctl.

Other changes make use of kernel types as well as user-exportable ones
and fix format specifier issues.

The changes do not affect existing 32bit ABI.

Change-Id: If00cb82dc4407a5e0890abbcb4019883e99e9a1f
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 64dcfe6b84
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:50:09 +03:00
Serban Constantinescu
abc6c8fe4f staging: android: binder: replace types with portable ones
Since this driver is meant to be used on different types of processors
and a portable driver should specify the size a variable expects to be
this patch changes the types used throughout the binder interface.

We use "userspace" types since this header will be exported and used by
the Android filesystem.

The patch does not change in any way the functionality of the binder driver.

Change-Id: Iede6575f6f9d76bec0bbed11948abe3ff081d0ee
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: eecddef594
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:50:02 +03:00
Serban Constantinescu
2c056acb9c staging: android: binder: fix BC_FREE_BUFFER ioctl declaration
BinderDriverCommands mirror the ioctl usage. Thus the size of the
structure passed through the interface should be used to generate the
ioctl No.

The change reflects the type being passed from the user space-a pointer
to a binder_buffer. This change should not affect the existing 32bit
user space since BC_FREE_BUFFER is computed as:

   #define _IOW(type,nr,size)         \
      ((type) << _IOC_TYPESHIFT) |    \
      ((nr)   << _IOC_NRSHIFT) |      \
      ((size) << _IOC_SIZESHIFT))

and for a 32bit compiler BC_FREE_BUFFER will have the same computed
value. This change will also ease our work in differentiating
BC_FREE_BUFFER from COMPAT_BC_FREE_BUFFER.

The change does not affect existing 32bit ABI.

Change-Id: I72c6bfae325840a825c8786a79a07ffad540d602
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: fc56f2ecf0
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:49:54 +03:00
Serban Constantinescu
26dcf02485 staging: android: binder: fix BINDER_SET_MAX_THREADS declaration
This change will fix the BINDER_SET_MAX_THREADS ioctl to use __u32
instead of size_t for setting the max threads. Thus using the same
handler for 32 and 64bit kernels.

This value is stored internally in struct binder_proc and set to 15
on open_binder() in the libbinder API(thus no need for a 64bit size_t
on 64bit platforms).

The change does not affect existing 32bit ABI.

Change-Id: I193678d455b6527d54c524feb785631df8faed5a
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: a9350fc859
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:49:44 +03:00
Serban Constantinescu
8544b6b92b staging: android: binder: replace IOCTL types with user-exportable types
This patch modifies the IOCTL macros to use user-exportable data types,
as they are the referred kernel types for the user/kernel interface.

The patch does not change in any way the functionality of the binder driver.

Change-Id: I784358581eba5c04c9bb3235cd4ae68f0225129a
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:49:31 +03:00
Bojan Prtvar
1af3640ff5 Staging: android: add __user annotation in binder.c
This fixes the following sparse error
drivers/staging/android/binder.c:1795:36: error: incompatible types in comparison expression (different address spaces)

Change-Id: Icf6b3868442fc3e4f145c8d13de9626abc306cd1
Signed-off-by: Bojan Prtvar <prtvar.b@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 308fbd8ac0
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:49:21 +03:00
Bojan Prtvar
eb155b14ca Staging: android: Mark local functions in binder.c as static
This fixes the following sparse warnings
drivers/staging/android/binder.c:1703:5: warning: symbol 'binder_thread_write' was not declared. Should it be static?
drivers/staging/android/binder.c:2058:6: warning: symbol 'binder_stat_br' was not declared. Should it be static?

Change-Id: I930f10e54c19b0c6aca275f3ef51320bcfa3bb34
Signed-off-by: Bojan Prtvar <prtvar.b@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: fb07ebc3e8
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:49:13 +03:00
Serban Constantinescu
502645dba8 staging: android: binder: fix alignment issues
The Android userspace aligns the data written to the binder buffers to
4bytes. Thus for 32bit platforms or 64bit platforms running an 32bit
Android userspace we can have a buffer looking like this:

platform    buffer(binder_cmd   pointer)      size
32/32                 32b         32b          8B
64/32                 32b         64b          12B
64/64                 32b         64b          12B

Thus the kernel needs to check that the buffer size is aligned to 4bytes
not to (void *) that will be 8bytes on 64bit machines.

The change does not affect existing 32bit ABI.

Change-Id: Idcad35da1c1567ee0676d60d03afd07b219c59ea
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: ec35e852dc
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:48:57 +03:00
Cruz Julian Bishop
db4620e641 staging: android: Avoid using camelcase in binder.h
This changes the following:

1: BinderDriverReturnProtocol -> binder_driver_return_protocol
2: BinderDriverCommandProtocol -> binder_driver_return_protocol

These enums are not currently used, but still generate noise in checkpatch.

Well, did. They don't now :)

Change-Id: I7eeb7b8fc20ed1c4b3736f3f36b6637a1a631560
Signed-off-by: Cruz Julian Bishop <cruzjbishop@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:48:49 +03:00
Emil Goode
efc8b35529 staging: android: binder: fix sparse warnings
Fix sparse warnings by adding __user annotation to stucts.

This patch fixes the the following sparse warnings:

drivers/staging/android/binder.c:1343:76: warning:
	incorrect type in argument 2 (different address spaces)
	drivers/staging/android/binder.c:1343:76:
	expected void [noderef] <asn:1>*ptr
	drivers/staging/android/binder.c:1343:76: got void *binder
drivers/staging/android/binder.c:1567:57: warning:
	incorrect type in argument 2 (different address spaces)
	drivers/staging/android/binder.c:1567:57:
	expected void const [noderef] <asn:1>*from
	drivers/staging/android/binder.c:1567:57:
	got void const *buffer
drivers/staging/android/binder.c:1573:46: warning:
	incorrect type in argument 2 (different address spaces)
	drivers/staging/android/binder.c:1573:46:
	expected void const [noderef] <asn:1>*from
	drivers/staging/android/binder.c:1573:46:
	got void const *offsets
drivers/staging/android/binder.c:1603:76: warning:
	incorrect type in argument 2 (different address spaces)
	drivers/staging/android/binder.c:1603:76:
	expected void [noderef] <asn:1>*ptr
	drivers/staging/android/binder.c:1603:76: got void *binder
drivers/staging/android/binder.c:1605:64: warning:
	incorrect type in argument 2 (different address spaces)
	drivers/staging/android/binder.c:1605:64:
	expected void [noderef] <asn:1>*ptr
	drivers/staging/android/binder.c:1605:64: got void *binder
drivers/staging/android/binder.c:1605:76: warning:
	incorrect type in argument 3 (different address spaces)
	drivers/staging/android/binder.c:1605:76:
	expected void [noderef] <asn:1>*cookie
	drivers/staging/android/binder.c:1605:76: got void *cookie
drivers/staging/android/binder.c:1613:40: error:
	incompatible types in comparison

Change-Id: I6cac879e87993f077700574420a798226a21721d
Signed-off-by: Emil Goode <emilgoode@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:48:37 +03:00
Serban Constantinescu
bb427274b8 staging: android: binder: modify struct binder_write_read to use size_t
This change mirrors the userspace operation where struct binder_write_read
members that specify the buffer size and consumed size are size_t elements.

The patch also fixes the binder_thread_write() and binder_thread_read()
functions prototypes to conform with the definition of binder_write_read.

The changes do not affect existing 32bit ABI.

Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 397334fc2b
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: If606f0fe135ffc4a630dbf34d755f559c36ee62a
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2017-08-24 20:48:30 +03:00
Anmol Sarma
513c61afda BACKPORT: Staging: android: binder: Fixed multi-line strings
Changed all user visible multi-line strings to single line.
Removed 'binder:' prefix on stings.

Change-Id: I697fa4ee9741e2893f08062ca2256985f4977739
Signed-off-by: Anmol Sarma <unmole.in@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:48:05 +03:00
Sherwin Soltani
9d47996112 drivers: staging: android: binder.c: fix printk macros
Change printk() messages to pr_* macros.

Change-Id: Iaeddb5f0697bf25abc3d860cfdc431a0a7125d7f
Signed-off-by: Sherwin Soltani <sherwin@wybc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:47:56 +03:00
Sachin Kamat
ae71e6680d Staging: android: binder: Make task_get_unused_fd_flags function static
Silence the following warning:
drivers/staging/android/binder.c:368:5: warning:
symbol 'task_get_unused_fd_flags' was not declared. Should it be static?

Change-Id: Iacdae492c73d3b0399d2cf0d101943313082de0d
Cc: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-24 20:47:49 +03:00
Arve Hjønnevåg
0eb75e2242 ANDROID: binder: Add strong ref checks
Prevent using a binder_ref with only weak references where a strong
reference is required.

BUG: 30445380
Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
2017-08-24 20:47:23 +03:00
Arve Hjønnevåg
59c14d2f6f ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
Prevents leaking pointers between processes

BUG: 30768347
Change-Id: Id898076926f658a1b8b27a3ccb848756b36de4ca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit: 11032d745836280574827bb1db5e64a94945180e
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2017-08-24 20:47:15 +03:00
Jin Qian
9e20025f8b f2fs: sanity check checkpoint segno and blkoff
Make sure segno and blkoff read from raw image are valid.

Cc: stable@vger.kernel.org
Signed-off-by: Jin Qian <jinqian@google.com>
[Jaegeuk Kim: adjust minor coding style]
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Change-Id: Ie2505c071233c1a9dec2729fe1ad467689a1b7a2
(cherry picked from commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a)
2017-08-07 18:11:20 -06:00
Jin Qian
46e0dfc447 f2fs: sanity check segment count
F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.

Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Change-Id: I16b3cd6279bff1a221781a80b9b34744c9e7098f
(cherry picked from commit b9dd46188edc2f0d1f37328637860bb65a771124)
2017-08-07 18:11:13 -06:00
Thomas Gleixner
5a34ec804c timerfd: Protect the might cancel mechanism proper
The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.

Protect the context for these operations with a seperate lock.

The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

Change-Id: I1f2d38a919ceb1ca1c7c9471dece0c1126383912
(cherry picked from commit 1e38da300e1e395a15048b0af1e5305bd91402f6)
2017-08-07 18:11:00 -06:00
Al Viro
78e6676177 sg_start_req(): make sure that there's not too many elements in iovec
unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Change-Id: I9d8176f3db43bf94e2c48dfd2f4094dfc7c72e90
(cherry picked from commit 451a2886b6bf90e2fb378f7c46c655450fb96e81)
(with trivial backport from http://seclists.org/oss-sec/2015/q3/271)
2017-08-07 18:10:23 -06:00
Eric Dumazet
60469792e1 ipv4: keep skb->dst around in presence of IP options
Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
is accessed.

ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
are present.

We could refine the test to the presence of ts_needtime or srr,
but IP options are not often used, so let's be conservative.

Thanks to syzkaller team for finding this bug.

Fixes: d826eb14ec ("ipv4: PKTINFO doesnt need dst reference")
Change-Id: I4684e44431021585a6b967feb1cba2ded8c5bddc
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-17 05:11:36 +00:00
Takashi Iwai
383328af7a ALSA: timer: Fix race between read and ioctl
The read from ALSA timer device, the function snd_timer_user_tread(),
may access to an uninitialized struct snd_timer_user fields when the
read is concurrently performed while the ioctl like
snd_timer_user_tselect() is invoked.  We have already fixed the races
among ioctls via a mutex, but we seem to have forgotten the race
between read vs ioctl.

This patch simply applies (more exactly extends the already applied
range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
race window.

Change-Id: I3b539d6e01d86d5b9cbe813e2616894e6202225f
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-07-17 05:11:28 +00:00
Takashi Iwai
0fad971542 ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
it forgot to reset its indices.  Since the read may happen
concurrently with ioctl and snd_timer_user_tselect() allocates the
buffer via kmalloc(), this may lead to the leak of uninitialized
kernel-space data, as spotted via KMSAN:

  BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
  CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x143/0x1b0 lib/dump_stack.c:52
   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
   kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
   copy_to_user ./arch/x86/include/asm/uaccess.h:725
   snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
   do_loop_readv_writev fs/read_write.c:716
   __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
   do_readv_writev fs/read_write.c:894
   vfs_readv fs/read_write.c:908
   do_readv+0x52a/0x5d0 fs/read_write.c:934
   SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
   SyS_readv+0x87/0xb0 fs/read_write.c:1018

This patch adds the missing reset of queue indices.  Together with the
previous fix for the ioctl/read race, we cover the whole problem.

Change-Id: I5143563a56255d4063992e75f360972658b3eb21
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-07-17 05:10:10 +00:00