Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.18.12 2022-04-22T15:22:51+00:00 2022-04-22T15:22:51+00:00 Alessandro Astone ales.astone@gmail.com 2022-04-15T12:00:14+00:00 urn:sha1:ef38de9217a04c9077629a24652689d8fdb4c6c6 Some android userspace is sending BINDER_TYPE_FDA objects with num_fds=0. Like the previous patch, this is reproducible when playing a video. Before commit 09184ae9b575 BINDER_TYPE_FDA objects with num_fds=0 were 'correctly handled', as in no fixup was performed. After commit 09184ae9b575 we aggregate fixup and skip regions in binder_ptr_fixup structs and distinguish between the two by using the skip_size field: if it's 0, then it's a fixup, otherwise skip. When processing BINDER_TYPE_FDA objects with num_fds=0 we add a skip region of skip_size=0, and this causes issues because now binder_do_deferred_txn_copies will think this was a fixup region. To address that, return early from binder_translate_fd_array to avoid adding an empty skip region. Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data") Acked-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@kernel.org> Signed-off-by: Alessandro Astone <ales.astone@gmail.com> Link: https://lore.kernel.org/r/20220415120015.52684-1-ales.astone@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-04-22T15:22:48+00:00 Alessandro Astone ales.astone@gmail.com 2022-04-15T12:00:15+00:00 urn:sha1:2d1746e3fda0c3612143d7c06f8e1d1830c13e23 When handling BINDER_TYPE_FDA object we are pushing a parent fixup with a certain skip_size but no scatter-gather copy object, since the copy is handled standalone. If BINDER_TYPE_FDA is the last children the scatter-gather copy loop will never stop to skip it, thus we are left with an item in the parent fixup list. This will trigger the BUG_ON(). This is reproducible in android when playing a video. We receive a transaction that looks like this: obj[0] BINDER_TYPE_PTR, parent obj[1] BINDER_TYPE_PTR, child obj[2] BINDER_TYPE_PTR, child obj[3] BINDER_TYPE_FDA, child Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data") Acked-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@kernel.org> Signed-off-by: Alessandro Astone <ales.astone@gmail.com> Link: https://lore.kernel.org/r/20220415120015.52684-2-ales.astone@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-02-04T14:40:44+00:00 Minghao Chi chi.minghao@zte.com.cn 2022-01-04T11:35:00+00:00 urn:sha1:b2fb28dedd39408268db38da98ef9c7d444623ab Return value from list_lru_count() directly instead of taking this in another redundant variable. Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn> Signed-off-by: CGEL ZTE <cgel.zte@gmail.com> Link: https://lore.kernel.org/r/20220104113500.602158-1-chi.minghao@zte.com.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-01-03T12:44:38+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-01-03T12:44:38+00:00 urn:sha1:824adf37ee9ddf3ecba1bc245507bc5953dda268 We need the fixes in here as well for testing. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-21T10:07:34+00:00 Todd Kjos tkjos@google.com 2021-12-20T19:01:50+00:00 urn:sha1:cfd0d84ba28c18b531648c9d4a35ecca89ad9901 In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel structure visibility issue. As part of that patch, sizeof(void *) was used as the buffer size for 0-length data payloads so the driver could detect abusive clients sending 0-length asynchronous transactions to a server by enforcing limits on async_free_size. Unfortunately, on the "free" side, the accounting of async_free_space did not add the sizeof(void *) back. The result was that up to 8-bytes of async_free_space were leaked on every async transaction of 8-bytes or less. These small transactions are uncommon, so this accounting issue has gone undetected for several years. The fix is to use "buffer_size" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the async_free_space during the free operation. These are the same except for this corner case of asynchronous transactions with payloads < 8 bytes. Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable@vger.kernel.org # 4.14+ Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-21T09:11:27+00:00 Ajith P V ajithpv.linux@gmail.com 2021-12-15T13:20:18+00:00 urn:sha1:e80ca2e932056346f021d933b591d9d82b9cc93a binder.c uses <asm/cacheflush.h> instead of <linux/cacheflush.h>. Hence change cacheflush header file to proper one. This change also avoid warning from checkpatch that shown below: WARNING: Use #include <linux/cacheflush.h> instead of <asm/cacheflush.h> Signed-off-by: Ajith P V <ajithpv.linux@gmail.com> Link: https://lore.kernel.org/r/20211215132018.31522-1-ajithpv.linux@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-13T09:17:10+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2021-12-13T09:17:10+00:00 urn:sha1:af40d16042d674442db8cf5fd654fabcd45fea44 We need the fixes in here as well, and also resolve some merge conflicts in: drivers/misc/eeprom/at25.c Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-09T18:49:56+00:00 Eric Biggers ebiggers@google.com 2021-12-09T01:04:52+00:00 urn:sha1:a880b28a71e39013e357fd3adccd1d8a31bc69a8 wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll and aio poll are fortunately not affected by this, but it's very fragile. Thus, the new function wake_up_pollfree() has been introduced. Convert binder to use wake_up_pollfree(). Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> 2021-12-08T16:30:03+00:00 Arnd Bergmann arnd@arndb.de 2021-12-07T12:24:42+00:00 urn:sha1:9a0a930fe2535a76ad70d3f43caeccf0d86a3009 binder_uintptr_t is not the same as uintptr_t, so converting it into a pointer requires a second cast: drivers/android/binder.c: In function 'binder_translate_fd_array': drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset; | ^ Fixes: 656e01f3ab54 ("binder: read pre-translated fds from sender buffer") Acked-by: Todd Kjos <tkjos@google.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-03T13:29:39+00:00 Todd Kjos tkjos@google.com 2021-11-30T18:51:52+00:00 urn:sha1:09184ae9b5756cc469db6fd1d1cfdcffbf627c2d BINDER_TYPE_PTR objects point to memory areas in the source process to be copied into the target buffer as part of a transaction. This implements a scatter- gather model where non-contiguous memory in a source process is "gathered" into a contiguous region in the target buffer. The data can include pointers that must be fixed up to correctly point to the copied data. To avoid making source process pointers visible to the target process, this patch defers the copy until the fixups are known and then copies and fixeups are done together. There is a special case of BINDER_TYPE_FDA which applies the fixup later in the target process context. In this case the user data is skipped (so no untranslated fds become visible to the target). Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-5-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>