Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.130 2018-02-28T09:18:33+00:00 2018-02-28T09:18:33+00:00 Eric Biggers ebiggers@google.com 2018-02-26T18:56:45+00:00 urn:sha1:febf108e6c82d981ac6306978129dccb75db8b64 When commit 4be5a2810489 ("binder: check for binder_thread allocation failure in binder_poll()") was applied to 4.4-stable and 4.9-stable it was forgotten to release the global binder lock in the new error path. The global binder lock wasn't removed until v4.14, by commit a60b890f607d ("binder: remove global binder lock"). Fix the new error path to release the lock. Reported-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-02-25T10:05:44+00:00 Eric Biggers ebiggers@google.com 2018-01-31T07:11:24+00:00 urn:sha1:4be5a281048964854c0b1c145e57597e7116ea9f commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. If the kzalloc() in binder_get_thread() fails, binder_poll() dereferences the resulting NULL pointer. Fix it by returning POLLERR if the memory allocation failed. This bug was found by syzkaller using fault injection. Reported-by: syzbot <syzkaller@googlegroups.com> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:21:53+00:00 Martijn Coenen maco@android.com 2017-07-28T11:56:08+00:00 urn:sha1:cbd854d993546a38d8d5ee46361715c2119cd613 commit b2a6d1b999a4c13e5997bb864694e77172d45250 upstream. Commit c4ea41ba195d ("binder: use group leader instead of open thread")' was incomplete and didn't update a check in binder_mmap(), causing all mmap() calls into the binder driver to fail. Signed-off-by: Martijn Coenen <maco@android.com> Tested-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:21:53+00:00 Riley Andrews riandrews@google.com 2017-06-29T19:01:37+00:00 urn:sha1:8fb0b0ce288d38d78685a9d6f6320339afadf709 commit 00b40d613352c623aaae88a44e5ded7c912909d7 upstream. Use wake_up_interruptible_sync() to hint to the scheduler binder transactions are synchronous wakeups. Disable preemption while waking to avoid ping-ponging on the binder lock. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:21:53+00:00 Todd Kjos tkjos@android.com 2017-06-29T19:01:36+00:00 urn:sha1:51050750181c791410a7e8dc405cc909e264587b commit c4ea41ba195d01c9af66fb28711a16cc97caa9c5 upstream. The binder allocator assumes that the thread that called binder_open will never die for the lifetime of that proc. That thread is normally the group_leader, however it may not be. Use the group_leader instead of current. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:21:52+00:00 Todd Kjos tkjos@android.com 2017-07-05T20:46:01+00:00 urn:sha1:eda70a559187ebc33b8019a50bcc4077030f2ed3 commit a2b18708ee14baec4ef9c0fba96070bba14d0081 upstream. This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27. The patch introduced a race in the binder driver. An attempt to fix the race was submitted in "[PATCH v2] android: binder: fix dangling pointer comparison", however the conclusion in the discussion for that patch was that the original patch should be reverted. The reversion is being done as part of the fine-grained locking patchset since the patch would need to be refactored when proc->vmm_vm_mm is removed from struct binder_proc and added in the binder allocator. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-10-24T17:37:48+00:00 Arve Hjønnevåg arve@android.com 2016-10-24T13:20:30+00:00 urn:sha1:4afb604e2d14d429ac9e1fd84b952602853b2df5 Prevents leaking pointers between processes Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-10-24T17:37:47+00:00 Arve Hjønnevåg arve@android.com 2016-10-24T13:20:29+00:00 urn:sha1:0a3ffab93fe52530602fe47cd74802cffdb19c05 Prevent using a binder_ref with only weak references where a strong reference is required. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-08-15T15:00:45+00:00 Bhaktipriya Shridhar bhaktipriya96@gmail.com 2016-08-13T16:46:24+00:00 urn:sha1:1beba52d46f039a24f31cf5717c239c89a9d4e6f The workqueue is being used to run deferred work for the android binder. The "binder_deferred_workqueue" queues only a single work item and hence does not require ordering. Also, this workqueue is not being used on a memory recliam path. Hence, the singlethreaded workqueue has been replaced with the use of system_wq. System workqueues have been able to handle high level of concurrency for a long time now and hence it's not required to have a singlethreaded workqueue just to gain concurrency. Unlike a dedicated per-cpu workqueue created with create_singlethread_workqueue(), system_wq allows multiple work items to overlap executions even on the same CPU; however, a per-cpu workqueue doesn't have any CPU locality or global ordering guarantee unless the target CPU is explicitly specified and thus the increase of local concurrency shouldn't make any difference. Signed-off-by: Bhaktipriya Shridhar <bhaktipriya96@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-03-02T00:10:45+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-03-02T00:10:45+00:00 urn:sha1:3e66848a3249105fe4973b0550b5b6cd42240168 We want the staging fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>