Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.67 2019-08-04T07:30:53+00:00 2019-08-04T07:30:53+00:00 Todd Kjos tkjos@android.com 2019-06-12T20:29:27+00:00 urn:sha1:22068d49d09d2b3890e19d7b2048a33340f992da commit a370003cc301d4361bae20c9ef615f89bf8d1e8a upstream. There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-31T05:27:10+00:00 Hridya Valsaraju hridya@google.com 2019-07-15T19:18:04+00:00 urn:sha1:e907b1314481c8586ff3793fd92c7dbd8aa841ae commit 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec upstream. Currently, a transaction to context manager from its own process is prevented by checking if its binder_proc struct is the same as that of the sender. However, this would not catch cases where the process opens the binder device again and uses the new fd to send a transaction to the context manager. Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com Signed-off-by: Hridya Valsaraju <hridya@google.com> Acked-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20190715191804.112933-1-hridya@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-14T06:11:21+00:00 Todd Kjos tkjos@android.com 2019-06-21T17:54:15+00:00 urn:sha1:524ad00e80b7b1138e933a3dc62e67cb25baadc6 commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-05T18:32:11+00:00 Todd Kjos tkjos@android.com 2018-11-06T23:55:32+00:00 urn:sha1:553927d6aab993e1297d0c69274cd0c2df5440ca commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream. Malicious code can attempt to free buffers using the BC_FREE_BUFFER ioctl to binder. There are protections against a user freeing a buffer while in use by the kernel, however there was a window where BC_FREE_BUFFER could be used to free a recently allocated buffer that was not completely initialized. This resulted in a use-after-free detected by KASAN with a malicious test program. This window is closed by setting the buffer's allow_user_free attribute to 0 when the buffer is allocated or when the user has previously freed it instead of waiting for the caller to set it. The problem was that when the struct buffer was recycled, allow_user_free was stale and set to 1 allowing a free to go through. Signed-off-by: Todd Kjos <tkjos@google.com> Acked-by: Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> # 4.14 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-08T09:05:47+00:00 Sherry Yang sherryy@android.com 2018-08-07T19:57:13+00:00 urn:sha1:128f38041035001276e964cda1cf951f218d965d Use rate-limited debug messages where userspace can trigger excessive log spams. Acked-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Sherry Yang <sherryy@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-24T12:23:00+00:00 Guenter Roeck linux@roeck-us.net 2018-07-23T21:41:38+00:00 urn:sha1:f371a7c17aaa47dd7aedc89ef3cd1d5638c03f5e If asm/cacheflush.h is included first, the following build warnings are seen with sparc32 builds. In file included from arch/sparc/include/asm/cacheflush.h:11:0, from drivers/android/binder.c:54: arch/sparc/include/asm/cacheflush_32.h:40:37: warning: 'struct page' declared inside parameter list will not be visible outside of this definition or declaration Moving the asm/ include after linux/ includes solves the problem. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 Souptick Joarder jrdr.linux@gmail.com 2018-04-23T16:24:00+00:00 urn:sha1:e19f70aa02f34abd4c5740f761f4694e9a7c8b3d Use new return type vm_fault_t for fault handler in struct vm_operations_struct. For now, this is just documenting that the function returns a VM_FAULT value rather than an errno. Once all instances are converted, vm_fault_t will become a distinct type. Reference id -> 1c8f422059ae ("mm: change return type to vm_fault_t") Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 Minchan Kim minchan@kernel.org 2018-05-07T14:15:37+00:00 urn:sha1:720c241924046aff83f5f2323232f34a30a4c281 binder_update_page_range needs down_write of mmap_sem because vm_insert_page need to change vma->vm_flags to VM_MIXEDMAP unless it is set. However, when I profile binder working, it seems every binder buffers should be mapped in advance by binder_mmap. It means we could set VM_MIXEDMAP in binder_mmap time which is already hold a mmap_sem as down_write so binder_update_page_range doesn't need to hold a mmap_sem as down_write. Please use proper API down_read. It would help mmap_sem contention problem as well as fixing down_write abuse. Ganesh Mahendran tested app launching and binder throughput test and he said he couldn't find any problem and I did binder latency test per Greg KH request(Thanks Martijn to teach me how I can do) I cannot find any problem, too. Cc: Ganesh Mahendran <opensource.ganesh@gmail.com> Cc: Joe Perches <joe@perches.com> Cc: Arve Hjønnevåg <arve@android.com> Cc: Todd Kjos <tkjos@google.com> Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 宋金时 songjinshi@xiaomi.com 2018-05-10T02:05:03+00:00 urn:sha1:838d5565669aa5bb7deb605684a5970d51d5eaf6 When to execute binder_stat_br the e->cmd has been modifying as BR_OK instead of the original return error cmd, in fact we want to know the original return error, such as BR_DEAD_REPLY or BR_FAILED_REPLY, etc. instead of always BR_OK, in order to avoid the value of the e->cmd is always BR_OK, so we need assign the value of the e->cmd to cmd before e->cmd = BR_OK. Signed-off-by: songjinshi <songjinshi@xiaomi.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 Martijn Coenen maco@google.com 2018-05-11T08:45:24+00:00 urn:sha1:1190b4e38f97023154e6b3bef61b251aa5f970d0 New devices launching with Android P need to use the 64-bit binder interface, even on 32-bit SoCs [0]. This change removes the Kconfig option to select the 32-bit binder interface. We don't think this will affect existing userspace for the following reasons: 1) The latest Android common tree is 4.14, so we don't believe any Android devices are on kernels >4.14. 2) Android devices launch on an LTS release and stick with it, so we wouldn't expect devices running on <= 4.14 now to upgrade to 4.17 or later. But even if they did, they'd rebuild the world (kernel + userspace) anyway. 3) Other userspaces like 'anbox' are already using the 64-bit interface. Note that this change doesn't remove the 32-bit UAPI itself; the reason for that is that Android userspace always uses the latest UAPI headers from upstream, and userspace retains 32-bit support for devices that are upgrading. This will be removed as well in 2-3 years, at which point we can remove the code from the UAPI as well. Finally, this change introduces build errors on archs where 64-bit get_user/put_user is not supported, so make binder unavailable on m68k (which wouldn't want it anyway). [0]: https://android-review.googlesource.com/c/platform/build/+/595193 Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>